Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

/envoy/verify-params-header can cause infinite auth loop

See original GitHub issue

Thanks for this project! It’s super useful.

We got really stuck for a little while in an infinite auth loop when trying to use this from an envoy ext_authz filter (similar to your examples: istio example, https://github.com/travisghansen/external-auth-server/issues/23#issuecomment-522617850 ).

The ultimate fix ended up being to set pathPrefix to /envoy/verify-params-header/anythingherewillwork. That makes it correctly match the express route: https://github.com/travisghansen/external-auth-server/blob/154218a725e716642af0607eb47597d40b1c2737/src/server.js#L425 (in fact, in hindsight even just an extra / on the path will work)

I’m not sure what made those previous examples work with just /envoy/verify-params-header, maybe something automatically appended to the paths?

I think a good change to make this easier to use, would be to update the route to just /envoy/verify-params-header, but I’m not sure if that’s how you intended it to be used.

Here’s the full filter we ended up with, in case it’s useful:

http_filters:
- name: envoy.ext_authz
config:
    failure_mode_allow: false
    http_service:
        path_prefix: /envoy/verify-params-header/anythingherewillwork
        authorization_request:
          allowed_headers:
            patterns:
            - exact: cookie
            - exact: X-Forwarded-Host
            - exact: X-Forwarded-Method
            - exact: X-Forwarded-Proto
            - exact: X-Forwarded-Uri
          headers_to_add:
          - key: "x-eas-verify-params"
            value: '{"config_token_store_id": "env_token_store", "config_token_id": "token_id_1"}'
        server_uri:
          uri: http://external-auth-server.internal-service.svc.cluster.local
          cluster: ext-authz
          timeout: 10s
        status_on_error:
          code: Forbidden
        with_request_body:
          allow_partial_message: true
          max_request_bytes: 4096
- name: envoy.router
  typed_config: {}

This works excellent for us with OIDC and GCP Identity Platform! 🎉

Issue Analytics

State:
Created 4 years ago
Comments:25 (22 by maintainers)

Top GitHub Comments

2reactions

travisghansencommented, Oct 29, 2019

Just released v0.6.0, closing.

0reactions

travisghansencommented, Oct 13, 2019

I went ahead and removed the conditional in next branch. Try it out and let me know what you get this time. I can’t think of any situation where we’d not want the correct value based on envoy behavior/spec even if it’s been set erroneously/incompletely upstream.

The conditional may not be the issue at all but we’ll try it out and see what we get.

Top Results From Across the Web

Router - Configuration reference - Envoy Proxy

Setting this header will cause Envoy to attempt to retry failed requests (number of retries defaults to 1, and can be controlled by...

Envoyproxy Envoy : List of security vulnerabilities - CVE Details

# CVE ID CWE ID Publish Date Update Date Score Gained Access Level Access 1 CVE‑2022‑29228 617 2022‑06‑09 2022‑06‑16 5.0 None Rem... 2 CVE‑2022‑29227 416...

Envoyproxy Envoy vulnerability list - SecAlerts - Security ...

On sending the local reply, Envoy will attempt to reset the upstream stream, but as it is actually ... This infinite recursion causes...

Istio envoy proxy request loop causing OOM - Stack Overflow

My application was acting as a reverse proxy and forwarding inbound requests. When the request came in through Envoy it changed the HOST...

Apigee Adapter for Envoy release notes - Google Cloud

Envoy versions 1.18 to 1.20; Istio versions 1.10 to 1.12. Issues fixed. A nil-check was added for the PEM block private key ...