-
Notifications
You must be signed in to change notification settings - Fork 281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy: Wildcard Virtual Hosts #1677
Comments
@travisgroth Wildcards in the |
I currently have a use-case for this. Want to experiment with using pomerium as an identity aware network access tool. User would hit pomerium at the front, authenticate / authorize, and then be allowed to multiple (changing) subdomains. Without wildcards I may have to find another solution that fits well but I can understand from a zero-trust perspective how wildcards aren't exactly the best approach. I was previously using NginxProxyManager to control those changing subdomains / services and was hoping to continue using it, except with the added security provided by pomerium (in the cases that services don't provide their own auth). |
We could support wildcards but not like some of the examples given above. We are limited to what Envoy supports:
|
@calebdoxsey The quoted part with partial wildcards is not something I made up, but rather a part of the Envoy v2 documentation. The link to the relevant Envoy doc from the original post is dead, here's the new link for Envoy v3 (see description of the Judging by this doc, Envoy does support partial wildcards. |
Any update? |
I ended up using https://oauth2-proxy.github.io/oauth2-proxy/ instead. It supports wildcards. |
I could see this more as a regex type thing
Then you could manage 2 routes with restrictions without having to add/remove as dev systems came up/down. I'm actually looking at doing something like this for a limited access network that currently access is dynamically managed for ssh/rdp/https via custom code rewriting firewall rules. So something like this would be pretty big. |
Is your feature request related to a problem? Please describe.
I would love to be able to use wildcards in
from
argument to have one policy cover a bunch of internal services at once.Going in working with Pomerium, I intuitively assumed that there should be wildcards, as wildcard certificates are mentioned, but it turned out there aren't any.
Describe the solution you'd like
Envoy's wildcard syntax looks exactly like what I was looking for. It's also pretty close to what we have in nginx/HAProxy/Caddy, so that makes it familiar.
https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route_components.proto#route-virtualhost
Describe alternatives you've considered, Explain any additional use-cases
My use case involves spinning up a lot of subdomains for development API and web page testing.
A similar issue is described in #659 and there was proposed a solution to use config templates.
I've tested a hacky solution based on restarting Pomerium on config changes with some success, but there are a few problems with it:
Fair warning! If you use the snippet below, make sure to sanitize your config data or better yet DON'T accept user data here.
Pomerium allows routing to external URLs, and bad things could happen here through crafty string manipulation.
Additional context
For some reason right now policies with subdomains containing asterisks return 403 for me (not 404).
That might give an indication of what's happening inside.
The text was updated successfully, but these errors were encountered: