Issues accessing the SNI (server name) from the TLS inspector within External Authorization CheckRequest #34002
Labels
area/ext_authz
area/tls_sni
question
Questions that are neither investigations, bugs, nor enhancements
Title: Access the SNI (server name) from the TLS inspector within External Authorization CheckRequest
Description:
We make use of External Authorization as both a network and HTTP filter. In both cases we set the
include_tls_session
value to true. For the documentation is states:When
include_tls_session
is set totrue
one would expect thatservice.auth.v3.AttributeContext.TLSSession
is set. I have ensured that https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/tls_inspector is set and can confirm that in all cases%REQUESTED_SERVER_NAME%
is populated in the logs. I am using the SNI dynamic forward proxy to route the traffic based on the SNI.Is there possibly an issue with the SNI being sent to External Authorization when using the TLS Inspector? Is there another way I can access the SNI if this manner isn't working properly? Perhaps through some form of metadata that comes across in the
CheckRequest
.Note, I have built the authorization endpoint with gRPC using https://github.com/envoyproxy/go-control-plane. i.e. handling the requests with
Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error)
.Relevant Links:
The text was updated successfully, but these errors were encountered: