This is an example showing how to implement an Envoy External Authorization gRPC Server written in Rust, using the envoy-types crate. If you are working on a more complex implementation including rate-limiting, consider checking out the envoy-extauthz-rust-rate-limit repository.
Here, we create an envoy
service mapped to a localhost port, connected through
internal docker networks to an extauthz
service, and to a nginx
service that
serves plain text.
When envoy
receives a request, it checks its validity through the extauthz
service. If the request is considered valid, it is sent to nginx
,
with any appended headers and query parameters that the extauthz
service
added to it. If not, envoy
sends the extauthz
denied response back to the
client.
To run this example, you must have Docker
installed (with docker compose
).
Instructions can be found here.
The docker-compose
file expects a few env
variables that need to be provided
in order to run its services. An example configuration follows:
DOCKER_REGISTRY=playground.local
# If set to any value, the 'extauthz' server will be compiled in 'release' mode
RELEASE_BUILD=""
EXT_AUTHZ_PORT=50051
NGINX_SERVER_PORT=8080
NGINX_SERVER_NAME=localhost
ENVOY_SERVER_PORT=10000
ENVOY_ADMIN_PORT=9901
# Port on localhost where the requests should be directed to
ENVOY_EXTERNAL_PORT=3000
Create a .env
file in the repo directory with the values above.
Build and run envoy
and the services it depends on.
$ docker compose up -d --build envoy
Check with docker ps
if the three containers are running, and if the port
10000 of the envoy container is mapped to the localhost port 3000, as expected
from the example environment configuration.
Requests containing an "Authorization
" header with value "Bearer valid-token
"
will be considered valid and, therefore, will reach the nginx
service. Other
requests will be blocked.
Making a valid request:
$ curl http://localhost:3000 -H "Authorization: Bearer valid-token"
DATA FROM NGINX SERVER
Making an invalid request:
$ curl http://localhost:3000
FORBIDDEN
Check if the headers and query parameters added by the extauthz
service indeed
reached the nginx
service.
$ docker compose logs nginx
The valid request log should be similar to:
...
extauthz-rust.nginx | 192.168.128.3 - - [01/Dec/2024:14:32:29 +0000] "GET /?extauthz-query-param=extauthz-query-value HTTP/1.1" 200 22 "-" "curl/8.7.1" "192.168.65.1" "extauthz-value"
This project is licensed under the MIT License.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, shall be licensed as MIT, without any additional terms or conditions.