The Build Security Developer Hub

Welcome to the Build Security Developer Hub. Here you will find comprehensive guides and documentation to help you work with Build Security as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Envoy Proxy Plugin

Intro

Envoy is an open-source edge and service proxy, designed for cloud-native applications.

When a request comes to the Envoy proxy, it delegates the request's metadata (name and description) and payload to an external engine (PDP) which is responsible for deciding whether to allow or deny the request reaching upstream.

The following sequence diagram describes the full authorization request flow using Envoy, as mention above:

Full request flow using Envoy

📘

Additional information

For more information on external authorization filter (a.k.a ext_authz) - click here

Envoy HTTP Filter Configuration

  • Open the envoy.yaml file.
  • Navigate to: filter_chains > filters > http_filters.
  • Add new ext_authz filter or create a new one if it is the first filter.

Configuration Example:
Between the comments in the YAML file below, you can view the relevant section that specifies the start and end of the HTTP filter code that needs to be configured. In this example, it directs requests to Google and uses the build.security PDP as an external authorization server.

admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address:
      protocol: TCP
      address: 127.0.0.1
      port_value: 9901
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        protocol: TCP
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                route:
                  host_rewrite: www.google.com
                  cluster: service_google
          # The relevant part for configuration in YAML
                    http_filters:
          - name: envoy.ext_authz
            typed_config:
              "@type": type.googleapis.com/envoy.config.filter.http.ext_authz.v2.ExtAuthz
              with_request_body:
                max_request_bytes: 8192
                allow_partial_message: false
              failure_mode_allow: false
              grpc_service:
                google_grpc:
                # next line is a place holder for the PDP Address
                  target_uri: <EXT_AUTHZ_TARGET_URI>  
                  stat_prefix: ext_authz
                timeout: 120s                      
          # End of the relevant part for configuration in YAML
          - name: envoy.filters.http.router
            typed_config: {}
  clusters:
  - name: service_google
    connect_timeout: 0.25s
    type: LOGICAL_DNS
    # Comment out the following line to test on v6 networks
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service_google
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: www.google.com
                port_value: 443
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext
        sni: www.google.com

🚧

Remember

To enable the Envoy proxy to access the external authorization:

Note: The gRPC port that the PDP listens on is 9191. For example :"10.10.0.1:9191"

📘

Additional information

For more information on Envoy - click here or contact us-[email protected]

Updated a day ago


Envoy Proxy Plugin


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.