search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.89k stars 4.79k forks source link

Make `ext_authz` failure-mode-allow header configurable #28387

Open jbohanon opened 1 year ago

jbohanon commented 1 year ago

Title: Make ext_authz failure-mode-allow header configurable

Description:

Describe the desired behavior, what scenario it enables and how it would be used.

ext_authz failure-mode-allow header leaks implementation to potentially untrusted upstreams. It is perhaps unadvisable to use ext_authz with untrusted upstreams, and failure-mode-allow can be disabled.

The addition of the x-envoy-auth-failure-mode-allowed leaks auth implementation and/or security details to potentially untrusted upstreams.

The feature was added in https://github.com/envoyproxy/envoy/pull/26326. A decision was made to not make this permanently configurable here. No method of removing this header is provided without adding a sanitizing filter after all extauth filters.

Reproduction: Run envoy with an ext_authz pointing to a non-existent endpoint and hit an echo server to see the headers received by the upstream when a failure occurs in authz.

Script must be run on Linux and requires node installed on $PATH. Change the envoy download path and/or use docker if desired. Any echo upstream can be used; a node server was provided for completeness.

run-script.sh ```bash #!/bin/bash # Add envoy config yaml cat > ./envoy.yaml < ./node-server.js <<'EOF' let http = require("http") let host = '0.0.0.0' let port = 4000 let server = http.createServer((req, res) => { res.writeHead(200) res.end(JSON.stringify(req.headers)) }) server.listen(port, host, () => { console.log(`Server is running on http://${host}:${port}`) }) EOF # Get envoy 1.26.2 curl -LO "https://github.com/envoyproxy/envoy/releases/download/v1.26.2/envoy-x86_64" mv envoy-x86_64 envoy chmod +x envoy # Run our test upstream node node-server.js & NODE_SERVER_PID=$! # Run envoy ./envoy --config-path ./envoy.yaml --log-level debug 1>./envoy.log 2>&1 & # Wait for envoy to initialize echo "waiting 2 seconds for Envoy to initialize" sleep 2 # Make a request to see the echoed headers curl http://localhost:8082/ -v # Kill envoy curl -X 'POST' http://localhost:19000/quitquitquit # Kill node script kill $NODE_SERVER_PID ```

From the output of this script we can see the header is received by the upstream x-envoy-auth-failure-mode-allowed: true

[optional Relevant Links:]

Any extra documentation required to understand the issue.

Implementing PR: https://github.com/envoyproxy/envoy/pull/26326 Comment where decision was made to not make this permanently configurable: https://github.com/envoyproxy/envoy/pull/26326#issuecomment-1492817386

jbohanon commented 1 year ago

cc @StarryVae as original implementer cc @wbpcode as commenter suggesting not gating behind API

wbpcode commented 1 year ago

If there is actually concern about the security, then It's ok to me to add a optional bool to disable the header adding. And before the API is added, you still could disable the adding by the runtime flag envoy.reloadable_features.http_ext_auth_failure_mode_allow_header_add. Thanks.

StarryVae commented 1 year ago

sorry for late, i will fix it soon.