envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.94k stars 4.8k forks source link

starttls should set ssl info for other filters #24082

Open jteplitz opened 1 year ago

jteplitz commented 1 year ago

Title: starttls should set the ssl info (such as enabled, ssi, etc...) so that downstream filters can use it

Description:

I'm currently using the postgres proxy filter with ssl termination via starttls. This works really well for ssl connections, but I also want to disable cleartext connections. Since postgres connections start in cleartext and upgrade to tls, I can't just use a filter_chain_match for this. It would be really nice to be able to do something like this to confirm that a TLS handshake for "my-database-server" occurred before forwarding any traffic to the database cluster:

      listener_filters:
        - name: envoy.filters.listener.tls_inspector
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
      filter_chains:
          filters:
            - name: envoy.filters.network.postgres_proxy
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy
                stat_prefix: postgres
                terminate_ssl: true
            - name: envoy.filters.network.rbac
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
                stat_prefix: sql_rbac
                rules:
                  action: ALLOW
                  policies:
                    "sni":
                      permissions:
                        - requested_server_name:
                           exact: "my-database-server"
                      principals:
                        - any: true
            - name: envoy.filters.network.tcp_proxy
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
                stat_prefix: destination
                cluster: my-db-cluster
                access_log:
                  - name: envoy.access_loggers.stdout
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog

          transport_socket:
              name: envoy.transport_sockets.starttls
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig
                tls_socket_config:

But this doesn't work because the starttls filter does not set the server name on the connection. As far as I can tell, it doesn't set any connection state or dynamic metadata based on the connections TLS properties.

yanavlasov commented 1 year ago

The postgress filter needs to be enhanced to set metadata that RBAC can match on.