Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rbac HTTP filter with metadata principal provided by jwt_authn HTTP filter is not working on HTTP CONNECT request #34988

Closed
ShotaKitazawa opened this issue Jul 1, 2024 · 2 comments

Comments

@ShotaKitazawa
Copy link

ShotaKitazawa commented Jul 1, 2024

Title: rbac HTTP filter with metadata principal provided by jwt_authn HTTP filter is not working on HTTP CONNECT request

Description:

I would like to use envoy to achieve the following

  • HTTP forwarding proxy with CONNECT method (RFC7231: 4.3.6. CONNECT)
  • Authorization for the payload of JWT granted in the Authorization header of the requests to proxy (RFC7523)

I tried to compare the value of the JWT payload using the metadata principal of the RBAC filter to satisfy the above. (ref. #7913)
However, only when connecting to envoy with the CONNECT method, the dynamicMetadata does not contain the jwt payload and the authorization by the RBAC filter fails.

Repro steps:

When I request Authorization header and CONNECT method (= target server listens HTTPS) to envoy, which runs as HTTP forwarding proxy, and envoy rejected the request.

$ curl -x http://${PROXY_HOSTNAME}:10000/ --proxy-header "Authorization: Bearer $JWT" https://google.com
curl: (56) CONNECT tunnel failed, response 403

Note that when I request Authorization header and GET method (= target server listens HTTP) to envoy, which runs as HTTP forwarding proxy, and envoy forwarded the request intendedly.

$ curl -x http://${PROXY_HOSTNAME}:10000/ --proxy-header "Authorization: Bearer $JWT" http://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

Admin and Stats Output:

I omitted it because It isn't necessary I thought. Please let me know if you need it.

Config:

The following values are masked

  • <AUDIENCE_NAME>
  • <SUBJECT_NAME>
admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 9902

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 10000
    filter_chains:
    - filters:

      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: forward_proxy
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              # in case that target server listens HTTPS
              - match: {connect_matcher: {}}
                route:
                  cluster: destination_https
                  upgrade_configs:
                  - upgrade_type: CONNECT
                    connect_config: {}
              # in case that target server listens HTTP
              - match: {prefix: "/"}
                route:
                  cluster: destination_http
                  upgrade_configs:
                  - upgrade_type: CONNECT
                    connect_config: {}

          http_filters:
          - name: envoy.filters.http.jwt_authn
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
              providers:
                provider1:
                  payload_in_metadata: payload
                  remote_jwks:
                    http_uri:
                      uri: http://localhost:4443
                      cluster: jwks_cluster
                      timeout: 3s
                    cache_duration:
                      seconds: 300
              rules:
              - match:
                  prefix: "/"
                requires:
                  provider_name: provider1
          - name: envoy.filters.http.rbac
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
              rules:
                action: ALLOW
                policies:
                  "jwt":
                    permissions:
                    - any: true
                    principals:
                      and_ids:
                        ids:
                        - metadata:
                            filter: envoy.filters.http.jwt_authn
                            path:
                              - key: payload
                              - key: aud
                            value:
                              string_match:
                                exact: "<AUDIENCE_NAME>"
                        - metadata:
                            filter: envoy.filters.http.jwt_authn
                            path:
                              - key: payload
                              - key: sub
                            value:
                              string_match:
                                exact: "<SUBJECT_NAME>"
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

  clusters:
  - name: destination_https
    connect_timeout: 3s
    type: STRICT_DNS
    dns_lookup_family: V4_ONLY
    dns_refresh_rate: 60s
    load_assignment:
      cluster_name: destination
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: google.com
                port_value: 443
  - name: destination_http
    connect_timeout: 3s
    type: STRICT_DNS
    dns_lookup_family: V4_ONLY
    dns_refresh_rate: 60s
    load_assignment:
      cluster_name: destination
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: google.com
                port_value: 80
  - name: jwks_cluster
    connect_timeout: 3s
    type: STATIC
    load_assignment:
      cluster_name: jwks_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 4443

Logs:

The following values are masked

  • <JWT>
  • <AUDIENCE_NAME>
  • <ISSUER_URL>
  • <JWT_ID>
  • <SUBJECT_NAME>

In case target server listens HTTPS, requests from cilent was rejected.

[2024-07-01 04:11:05.661][22][debug][conn_handler] [source/common/listener_manager/active_tcp_listener.cc:160] [Tags: "ConnectionId":"1"] new connection from 127.0.0.1:36618
[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:398] [Tags: "ConnectionId":"1"] new stream
[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1147] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] request headers complete (end_stream=false):
':authority', 'google.com:443'
':method', 'CONNECT'
'user-agent', 'curl/7.52.0'
'proxy-connection', 'Keep-Alive'
'authorization', 'Bearer <JWT>'

[2024-07-01 04:11:05.661][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"1"] current connecting state: false
[2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:159] Called Filter : setDecoderFilterCallbacks
[2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:53] Called Filter : decodeHeaders
[2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: OK
[2024-07-01 04:11:05.661][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:131] checking request: requestedServerName: , sourceIP: 127.0.0.1:36618, directRemoteIP: 127.0.0.1:36618, remoteIP: 127.0.0.1:36618,localAddress: 127.0.0.1:10000, ssl: none, headers: ':authority', 'google.com:443'
':method', 'CONNECT'
':scheme', 'http'
'user-agent', 'curl/7.52.0'
'authorization', 'Bearer <JWT>'
'x-forwarded-proto', 'http'
'x-request-id', '0819640b-0861-4f90-bf5c-5c892ca64e9e'
, dynamicMetadata:
[2024-07-01 04:11:05.661][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:185] enforced denied, matched policy none
[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/filter_manager.cc:1027] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] Preparing local reply with details rbac_access_denied_matched_policy[none]
[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/filter_manager.cc:1069] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] Executing sending local reply.
[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1838] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'date', 'Mon, 01 Jul 2024 04:11:05 GMT'
'server', 'envoy'
'connection', 'close'

[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1950] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] Codec completed encoding stream.
[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:252] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] doEndStream() resetting stream
[2024-07-01 04:11:05.661][22][debug][http] [source/common/http/conn_manager_impl.cc:1907] [Tags: "ConnectionId":"1","StreamId":"6514682289527550448"] stream reset: reset reason: local reset, response details: -
[2024-07-01 04:11:05.661][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:46] Called Filter : onDestroy
[2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl.cc:149] [Tags: "ConnectionId":"1"] closing data_to_write=162 type=2
[2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl_base.cc:53] [Tags: "ConnectionId":"1"] setting delayed close timer with timeout 1000 ms
[2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl.cc:149] [Tags: "ConnectionId":"1"] closing data_to_write=162 type=2
[2024-07-01 04:11:05.661][22][debug][connection] [source/common/network/connection_impl.cc:793] [Tags: "ConnectionId":"1"] write flush complete
[2024-07-01 04:11:05.662][22][debug][connection] [source/common/network/connection_impl.cc:793] [Tags: "ConnectionId":"1"] write flush complete

In case target server listens HTTP, requests from cilent succeeded.

[2024-07-01 03:03:41.525][22][debug][conn_handler] [source/common/listener_manager/active_tcp_listener.cc:160] [Tags: "ConnectionId":"4"] new connection from 127.0.0.1:60228
[2024-07-01 03:03:41.525][22][debug][http] [source/common/http/conn_manager_impl.cc:398] [Tags: "ConnectionId":"4"] new stream
[2024-07-01 03:03:41.525][22][debug][http] [source/common/http/conn_manager_impl.cc:1147] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] request headers complete (end_stream=true):
':authority', 'google.com'
':scheme', 'http'
':path', '/'
':method', 'GET'
'user-agent', 'curl/7.52.0'
'accept', '*/*'
'proxy-connection', 'Keep-Alive'
'authorization', 'Bearer <JWT>'

[2024-07-01 03:03:41.525][22][debug][http] [source/common/http/conn_manager_impl.cc:1130] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] request end stream
[2024-07-01 03:03:41.525][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"4"] current connecting state: false
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:159] Called Filter : setDecoderFilterCallbacks
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:53] Called Filter : decodeHeaders
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/matcher.cc:73] Prefix requirement '/' matched.
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/extractor.cc:255] extract authorizationBearer
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:163] provider1: JWT authentication starts (allow_failed=false), tokens size=1
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:174] provider1: startVerify: tokens size 1
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:192] provider1: Parse Jwt <JWT>
[2024-07-01 03:03:41.525][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:203] provider1: Verifying JWT token of issuer https://apj.zts.athenz.yahoo.co.jp:4443/zts/v1
[2024-07-01 03:03:41.525][22][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:60] fetch pubkey from [uri = http://localhost:4443]: start
[2024-07-01 03:03:41.526][22][debug][router] [source/common/router/router.cc:515] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] cluster 'jwks_cluster' match for URL '/'
[2024-07-01 03:03:41.526][22][debug][router] [source/common/router/router.cc:738] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] router decoding headers:
':path', '/'
':authority', 'localhost:4443'
':method', 'GET'
':scheme', 'http'
'x-envoy-internal', 'true'
'x-forwarded-for', '192.168.0.1'
'x-envoy-expected-rq-timeout-ms', '3000'

[2024-07-01 03:03:41.526][22][debug][pool] [source/common/http/conn_pool_base.cc:78] queueing stream due to no available connections (ready=0 busy=0 connecting=0)
[2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:291] trying to create new connection
[2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:145] creating a new connection (connecting=0)
[2024-07-01 03:03:41.526][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"5"] current connecting state: true
[2024-07-01 03:03:41.526][22][debug][client] [source/common/http/codec_client.cc:57] [Tags: "ConnectionId":"5"] connecting
[2024-07-01 03:03:41.526][22][debug][connection] [source/common/network/connection_impl.cc:1021] [Tags: "ConnectionId":"5"] connecting to 127.0.0.1:4443
[2024-07-01 03:03:41.526][22][debug][connection] [source/common/network/connection_impl.cc:1040] [Tags: "ConnectionId":"5"] connection in progress
[2024-07-01 03:03:41.526][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:97] Called Filter : decodeHeaders Stop
[2024-07-01 03:03:41.526][22][debug][connection] [source/common/network/connection_impl.cc:751] [Tags: "ConnectionId":"5"] connected
[2024-07-01 03:03:41.526][22][debug][client] [source/common/http/codec_client.cc:88] [Tags: "ConnectionId":"5"] connected
[2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:328] [Tags: "ConnectionId":"5"] attaching to next stream
[2024-07-01 03:03:41.526][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:182] [Tags: "ConnectionId":"5"] creating stream
[2024-07-01 03:03:41.526][22][debug][router] [source/common/router/upstream_request.cc:588] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] pool ready
[2024-07-01 03:03:41.526][22][debug][client] [source/common/http/codec_client.cc:142] [Tags: "ConnectionId":"5"] encode complete
[2024-07-01 03:03:41.610][22][debug][router] [source/common/router/router.cc:1529] [Tags: "ConnectionId":"0","StreamId":"759015519637044975"] upstream headers complete: end_stream=false
[2024-07-01 03:03:41.611][22][debug][http] [source/common/http/async_client_impl.cc:129] async http request response headers (end_stream=false):
':status', '200'
'content-length', '1806'
'content-type', 'application/json'
'date', 'Mon, 01 Jul 2024 03:03:41 GMT'
'x-envoy-upstream-service-time', '84'

[2024-07-01 03:03:41.611][22][debug][client] [source/common/http/codec_client.cc:129] [Tags: "ConnectionId":"5"] response complete
[2024-07-01 03:03:41.611][22][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:85] onSuccess: fetch pubkey [uri = http://localhost:4443]: success
[2024-07-01 03:03:41.611][22][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:91] onSuccess: fetch pubkey [uri = http://localhost:4443]: succeeded
[2024-07-01 03:03:41.611][22][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:448] provider1: JWT token verification completed with: OK
[2024-07-01 03:03:41.611][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: OK
[2024-07-01 03:03:41.611][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:131] checking request: requestedServerName: , sourceIP: 127.0.0.1:60228, directRemoteIP: 127.0.0.1:60228, remoteIP: 127.0.0.1:60228,localAddress: 127.0.0.1:10000, ssl: none, headers: ':authority', 'google.com'
':scheme', 'http'
':path', '/'
':method', 'GET'
'user-agent', 'curl/7.52.0'
'accept', '*/*'
'x-forwarded-proto', 'http'
'x-request-id', '6fa6b59e-d4fd-4b2c-aa8a-93313448fb55'
, dynamicMetadata: filter_metadata {
  key: "envoy.filters.http.jwt_authn"
  value {
    fields {
      key: "payload"
      value {
        struct_value {
          fields {
            key: "aud"
            value {
              string_value: "<AUDIENCE_NAME>"
            }
          }
          fields {
            key: "exp"
            value {
              number_value: 1719813855
            }
          }
          fields {
            key: "iat"
            value {
              number_value: 1719799455
            }
          }
          fields {
            key: "iss"
            value {
              string_value: "<ISSUER_URL>"
            }
          }
          fields {
            key: "jti"
            value {
              string_value: "<JWT_ID>"
            }
          }
          fields {
            key: "sub"
            value {
              string_value: "<SUBJECT_NAME>"
            }
          }
        }
      }
    }
  }
}

[2024-07-01 03:03:41.611][22][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:178] enforced allowed, matched policy jwt
[2024-07-01 03:03:41.611][22][debug][router] [source/common/router/router.cc:515] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] cluster 'destination_http' match for URL '/'
[2024-07-01 03:03:41.611][22][debug][router] [source/common/router/router.cc:738] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] router decoding headers:
':authority', 'google.com'
':scheme', 'http'
':path', '/'
':method', 'GET'
'user-agent', 'curl/7.52.0'
'accept', '*/*'
'x-forwarded-proto', 'http'
'x-request-id', '6fa6b59e-d4fd-4b2c-aa8a-93313448fb55'
'x-envoy-expected-rq-timeout-ms', '15000'

[2024-07-01 03:03:41.611][22][debug][pool] [source/common/http/conn_pool_base.cc:78] queueing stream due to no available connections (ready=0 busy=0 connecting=0)
[2024-07-01 03:03:41.611][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:291] trying to create new connection
[2024-07-01 03:03:41.611][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:145] creating a new connection (connecting=0)
[2024-07-01 03:03:41.611][22][debug][connection] [./source/common/network/connection_impl.h:98] [Tags: "ConnectionId":"6"] current connecting state: true
[2024-07-01 03:03:41.611][22][debug][client] [source/common/http/codec_client.cc:57] [Tags: "ConnectionId":"6"] connecting
[2024-07-01 03:03:41.611][22][debug][connection] [source/common/network/connection_impl.cc:1021] [Tags: "ConnectionId":"6"] connecting to 142.251.42.174:80
[2024-07-01 03:03:41.611][22][debug][connection] [source/common/network/connection_impl.cc:1040] [Tags: "ConnectionId":"6"] connection in progress
[2024-07-01 03:03:41.611][22][debug][pool] [source/common/http/http1/conn_pool.cc:53] [Tags: "ConnectionId":"5"] response complete
[2024-07-01 03:03:41.611][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:215] [Tags: "ConnectionId":"5"] destroying stream: 0 remaining
[2024-07-01 03:03:41.613][22][debug][connection] [source/common/network/connection_impl.cc:751] [Tags: "ConnectionId":"6"] connected
[2024-07-01 03:03:41.613][22][debug][client] [source/common/http/codec_client.cc:88] [Tags: "ConnectionId":"6"] connected
[2024-07-01 03:03:41.613][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:328] [Tags: "ConnectionId":"6"] attaching to next stream
[2024-07-01 03:03:41.613][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:182] [Tags: "ConnectionId":"6"] creating stream
[2024-07-01 03:03:41.613][22][debug][router] [source/common/router/upstream_request.cc:588] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] pool ready
[2024-07-01 03:03:41.613][22][debug][client] [source/common/http/codec_client.cc:142] [Tags: "ConnectionId":"6"] encode complete
[2024-07-01 03:03:41.658][22][debug][router] [source/common/router/router.cc:1529] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] upstream headers complete: end_stream=false
[2024-07-01 03:03:41.658][22][debug][http] [source/common/http/conn_manager_impl.cc:1838] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] encoding headers via codec (end_stream=false):
':status', '301'
'location', 'http://www.google.com/'
'content-type', 'text/html; charset=UTF-8'
'content-security-policy-report-only', 'object-src 'none';base-uri 'self';script-src 'nonce-MHTAL8RQHAKCMw3ImZNLfg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp'
'date', 'Mon, 01 Jul 2024 03:03:41 GMT'
'expires', 'Wed, 31 Jul 2024 03:03:41 GMT'
'cache-control', 'public, max-age=2592000'
'server', 'envoy'
'content-length', '219'
'x-xss-protection', '0'
'x-frame-options', 'SAMEORIGIN'
'x-envoy-upstream-service-time', '46'

[2024-07-01 03:03:41.658][22][debug][client] [source/common/http/codec_client.cc:129] [Tags: "ConnectionId":"6"] response complete
[2024-07-01 03:03:41.658][22][debug][http] [source/common/http/conn_manager_impl.cc:1950] [Tags: "ConnectionId":"4","StreamId":"1679668414112132079"] Codec completed encoding stream.
[2024-07-01 03:03:41.658][22][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:46] Called Filter : onDestroy
[2024-07-01 03:03:41.658][22][debug][pool] [source/common/http/http1/conn_pool.cc:53] [Tags: "ConnectionId":"6"] response complete
[2024-07-01 03:03:41.658][22][debug][pool] [source/common/conn_pool/conn_pool_base.cc:215] [Tags: "ConnectionId":"6"] destroying stream: 0 remaining
[2024-07-01 03:03:41.658][22][debug][connection] [source/common/network/connection_impl.cc:719] [Tags: "ConnectionId":"4"] remote close
[2024-07-01 03:03:41.658][22][debug][connection] [source/common/network/connection_impl.cc:281] [Tags: "ConnectionId":"4"] closing socket: 0
[2024-07-01 03:03:41.658][22][debug][conn_handler] [source/common/listener_manager/active_stream_listener_base.cc:136] [Tags: "ConnectionId":"4"] adding to cleanup list
@ShotaKitazawa ShotaKitazawa added bug triage Issue requires triage labels Jul 1, 2024
@htuch
Copy link
Member

htuch commented Jul 1, 2024

@yangminzhu @yanavlasov

@htuch htuch added area/jwt_authn area/rbac and removed triage Issue requires triage labels Jul 1, 2024
@ShotaKitazawa
Copy link
Author

ShotaKitazawa commented Jul 16, 2024

Self resolved.
I specified connect_matcher: {} as the matcher in the JWT HTTP filter, and then JWT value was contained in dynamicMetadata when I requested with the CONNECT method. (ref. #13064)

            http_filters:
            - name: envoy.filters.http.jwt_authn
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
                providers:
                  provider1:
                    payload_in_metadata: payload
                    remote_jwks:
                      http_uri:
                        uri: http://localhost:4443
                        cluster: jwks_cluster
                        timeout: 3s
                      cache_duration:
                        seconds: 300
                rules:
                - match:
-                   prefix: "/"
+                   connect_matcher: {}
                  requires:
                    provider_name: provider1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants