This is an example showing how to implement an Envoy External Authorization gRPC Server written in Rust. If you are working on a more complex implementation including rate-limiting, consider checking out the envoy-extauthz-rust-rate-limit repository.
Here, we create an envoy service mapped to a localhost port, connected through
internal docker networks to an extauthz service, and to a nginx service that
serves plain text.
When envoy receives a request, it checks its validity through the extauthz
service. If the request is considered valid, it is sent to nginx,
with any appended headers and query parameters that the extauthz service
added to it. If not, envoy sends the extauthz denied response back to the
client.
To run this example, you must have Docker installed (with docker compose).
Instructions can be found here.
The docker-compose file expects a few env variables that need to be provided
in order to run its services. An example configuration follows:
DOCKER_REGISTRY=playground.local
# If set to any value, the 'extauthz' server will be compiled in 'release' mode
RELEASE_BUILD=""
EXT_AUTHZ_PORT=50051
NGINX_SERVER_PORT=8080
NGINX_SERVER_NAME=localhost
ENVOY_SERVER_PORT=10000
ENVOY_ADMIN_PORT=9901
# Port on localhost where the requests should be directed to
ENVOY_EXTERNAL_PORT=3000Create a .env file in the repo directory with the values above.
Build and run envoy and the services it depends on.
$ docker compose up -d --build envoyCheck with docker ps if the three containers are running, and if the port
10000 of the envoy container is mapped to the localhost port 3000, as expected
from the example environment configuration.
Requests containing an "Authorization" header with value "Bearer valid-token"
will be considered valid and, therefore, will reach the nginx service. Other
requests will be blocked.
Making a valid request:
$ curl http://localhost:3000 -H "Authorization: Bearer valid-token"
DATA FROM NGINX SERVERMaking an invalid request:
$ curl http://localhost:3000
FORBIDDENCheck if the headers and query parameters added by the extauthz service indeed
reached the nginx service.
$ docker compose logs nginxThe valid request log should be similar to:
...
extauthz-rust.nginx | 192.168.128.3 - - [01/Feb/2024:14:32:29 +0000] "GET /?extauthz-query-param=extauthz-query-value HTTP/1.1" 200 22 "-" "curl/8.4.0" "192.168.65.1" "extauthz-value"
This project is licensed under the MIT License.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, shall be licensed as MIT, without any additional terms or conditions.