github.com/google/fleetspeak@v0.1.15-0.20240426164851-4f31f62c1aea/sandboxes/https-header-mode/envoy-https-https.yaml (about) 1 static_resources: 2 listeners: 3 - address: 4 socket_address: 5 address: 0.0.0.0 6 port_value: 10000 7 filter_chains: 8 - filters: 9 - name: envoy.filters.network.http_connection_manager 10 typed_config: 11 "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager 12 codec_type: AUTO 13 stat_prefix: ingress_http 14 proxy_100_continue: true 15 access_log: 16 - name: envoy.access_loggers.stdout 17 typed_config: 18 "@type": type.googleapis.com/envoy/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog 19 log_format: { 20 "text_format": "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" PFP: \"%DOWNSTREAM_PEER_FINGERPRINT_256%\" CERT: \"%DOWNSTREAM_PEER_CERT%\" TLS \"%DOWNSTREAM_TLS_VERSION%\" Issuer \"%DOWNSTREAM_PEER_ISSUER%\"\n" 21 } 22 route_config: 23 name: local_route 24 virtual_hosts: 25 - name: app 26 domains: 27 - "*" 28 routes: 29 - match: 30 prefix: "/" 31 route: 32 cluster: fleetspeak-server 33 timeout: 0s 34 idle_timeout: 0s 35 http_filters: 36 - name: envoy.filters.http.lua 37 typed_config: 38 '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua 39 inlineCode: | 40 41 function string.fromhex(str) 42 return (str:gsub('..', function (cc) 43 return string.char(tonumber(cc, 16)) 44 end)) 45 end 46 47 local rtrim = function(str) 48 if str == nil then 49 return 50 end 51 str = string.gsub(str, "=+$", '') 52 return str 53 end 54 55 function envoy_on_request(request_handle) 56 local stream = request_handle:streamInfo() 57 local headers = request_handle:headers() 58 if stream:downstreamSslConnection():peerCertificatePresented() then 59 local peerCertificate = stream:downstreamSslConnection():urlEncodedPemEncodedPeerCertificate() 60 request_handle:logInfo("Peer Certificate: "..peerCertificate) 61 62 local peerDigest = stream:downstreamSslConnection():sha256PeerCertificateDigest() 63 request_handle:logInfo("Peer Digest: "..peerDigest) 64 65 local base64Encoded = rtrim(request_handle:base64Escape(peerDigest:fromhex())) 66 request_handle:logInfo("Peer base64: "..base64Encoded) 67 request_handle:headers():add("x-client-cert-hash", base64Encoded) 68 else 69 request_handle:respond({[":status"] = "403"},"mTLS Required") 70 end 71 end 72 - name: envoy.filters.http.router 73 typed_config: 74 "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router 75 transport_socket: 76 name: envoy.transport_sockets.tls 77 typed_config: 78 "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext 79 require_client_certificate: true 80 common_tls_context: 81 validation_context: 82 trust_chain_verification: ACCEPT_UNTRUSTED 83 tls_certificates: 84 # The following self-signed certificate pair is generated using: 85 # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy' 86 # 87 # Instead of feeding it as an inline_string, certificate pair can also be fed to Envoy 88 # via filename. Reference: https://envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-datasource. 89 # 90 # Or in a dynamic configuration scenario, certificate pair can be fetched remotely via 91 # Secret Discovery Service (SDS). Reference: https://envoyproxy.io/docs/envoy/latest/configuration/security/secret. 92 - certificate_chain: 93 filename: /etc/cert.pem 94 private_key: 95 filename: /etc/key.pem 96 97 clusters: 98 - name: fleetspeak-server 99 type: STRICT_DNS 100 lb_policy: ROUND_ROBIN 101 load_assignment: 102 cluster_name: fleetspeak-server 103 endpoints: 104 - lb_endpoints: 105 - endpoint: 106 address: 107 socket_address: 108 address: fleetspeak-server 109 port_value: 9090 110 transport_socket: 111 name: envoy.transport_sockets.tls 112 typed_config: 113 "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext