resources:
- "@type": type.googleapis.com/envoy.config.listener.v3.Listener
name: http_listener
address:
socket_address: { address: 0.0.0.0, port_value: 10000 }
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: ingress_generic_insecure
virtual_hosts:
- name: http_to_https
domains: ["*"]
routes:
- match: { prefix : "/.well-known/acme-challenge"}
route: { cluster: _acme_renewer }
- match: { prefix: "/" }
redirect: { https_redirect: true }
- name: video_insecure
domains: ["video.jerxie.com" , "video.local:10000"]
routes:
- match: { prefix : "/.well-known/acme-challenge"}
route: { cluster: _acme_renewer }
- match: { prefix : "/"}
route: { cluster: _nas_video }
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
- "@type": type.googleapis.com/envoy.config.listener.v3.Listener
name: https_listener
address:
socket_address: { address: 0.0.0.0, port_value: 10001 }
listener_filters:
- name: "envoy.filters.listener.tls_inspector"
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
normalize_path: true
merge_slashes: true
upgrade_configs:
- upgrade_type: websocket
codec_type: AUTO
stream_idle_timeout: 300s
request_timeout: 300s
route_config:
virtual_hosts:
- name: home_service
domains: ["home.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_homeassistant_service"}
# - match: { path: "/printer"}
# redirect: { path_redirect: "/printer/" }
# - match: { prefix: "/printer/webcam" }
# route: { prefix_rewrite: "/", cluster: _3d_printer_camera, idle_timeout: 0s }
# - match: { prefix: "/printer/" }
# route: { prefix_rewrite: "/", cluster: _3d_printer_console }
http_filters:
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
require "/etc/envoy/filter"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["home.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
# - certificate_chain: { filename: "/etc/certs/home_domain/certificate.crt" }
# private_key: { filename: "/etc/certs/home_domain/private.key" }
- certificate_chain: { filename: "/etc/certs/downstream/home.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/home.jerxie.com/privkey.pem" }
# validation_context:
# trusted_ca:
# filename: /etc/certs/ca_bundle.crt
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: docker_service
domains: ["docker.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_docker_registry", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["docker.jerxie.com", "docker.local"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/docker.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/docker.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
upgrade_configs:
- upgrade_type: websocket
route_config:
virtual_hosts:
- name: docker_service
domains: ["nas.jerxie.com", "nas:10001"]
routes:
- match: { prefix: "/" }
route: { cluster: "_nas_service", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["nas.jerxie.com", "nas"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/nas.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/nas.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: docker_service
domains: ["video.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_nas_video", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["video.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/video.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/video.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: plex_server
domains: ["plex.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_plex_server", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["plex.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/plex.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/plex.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
normalize_path: true
merge_slashes: true
route_config:
virtual_hosts:
- name: kubernetes_service
domains: ["kubernetes.jerxie.com"]
routes:
- match: { path: "/apiserver"}
route: { prefix_rewrite: "/" , cluster: _k8s_apiserver }
- match: { prefix: "/apiserver/" }
route: { prefix_rewrite: "/" , cluster: _k8s_apiserver }
- match: { prefix: "/" }
route: { cluster: "_k8s_router"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["kubernetes.jerxie.com", "kubernetes.local"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/kubernetes.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/kubernetes.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
normalize_path: true
merge_slashes: true
route_config:
virtual_hosts:
- name: kubernetes_dashboard_service
domains: ["kubernetes.dashboard.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_k8s_router"}
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: _auth_server
uri: auth.jerxie.com/token
timeout: 3s
authorization_endpoint: https://auth.jerxie.com/auth
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
forward_bearer_token: true
credentials:
client_id: kubernetes-dashboard
token_secret:
name: token
sds_config:
path: "/etc/envoy/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/envoy/hmac-secret.yaml"
# (Optional): defaults to 'user' scope if not provided
auth_scopes:
- openid
- email
# (Optional): set resource parameter for Authorization request
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["kubernetes.dashboard.jerxie.com", "kubernetes.dashboard.local"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/kubernetes.dashboard.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/kubernetes.dashboard.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: kubernetes_blog_service
domains: ["blog.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_k8s_router"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["blog.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/blog.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/blog.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: kubernetes_blog_service
domains: ["argocd.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_k8s_router"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["argocd.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/argocd.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/argocd.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
upgrade_configs:
- upgrade_type: websocket
stream_idle_timeout: 0s
normalize_path: true
merge_slashes: true
route_config:
virtual_hosts:
- name: meet_service
domains: ["meet.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_k8s_router"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["meet.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/meet.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/meet.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: docker_service
domains: ["audio.jerxie.com", "audio.local"]
routes:
- match: { prefix: "/" }
route: { cluster: "_nas_audio"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["audio.jerxie.com", "audio.local"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/audio.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/audio.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
upgrade_configs:
- upgrade_type: websocket
route_config:
virtual_hosts:
- name: code_service
domains: ["code.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_code_server"}
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: _auth_server
uri: auth.jerxie.com/token
timeout: 3s
authorization_endpoint: https://auth.jerxie.com/auth
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
forward_bearer_token: true
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
credentials:
client_id: code-server
token_secret:
name: token
sds_config:
path: "/etc/envoy/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/envoy/hmac-secret.yaml"
# (Optional): defaults to 'user' scope if not provided
auth_scopes:
- openid
- email
# (Optional): set resource parameter for Authorization request
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
provider1:
remote_jwks:
http_uri:
uri: "https://auth.jerxie.com/keys"
cluster: _auth_server
timeout: 5s
cache_duration: 600s
from_headers:
- name: Authorization
value_prefix: "Bearer "
from_cookies:
- BearerToken
payload_in_metadata: jwt_payload
rules:
- match:
prefix: /
requires:
provider_name: provider1
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
email = ""
function envoy_on_request(request_handle)
email = ""
local meta = request_handle:streamInfo():dynamicMetadata()
for key, value in pairs(meta:get("envoy.filters.http.jwt_authn")) do
if key == "jwt_payload" then
for k, v in pairs(value) do
if k == "email" then
request_handle:logInfo("login codeserver: " ..v)
email = v
end
end
end
end
end
function envoy_on_response(response_handle)
if email ~="" and email ~= "axieyangb@gmail.com" then
response_handle:logInfo("Got unauthorized user, return 403 for user " ..email)
response_handle:headers():add("set-cookie", "BearerToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
response_handle:headers():add("set-cookie", "OauthHMAC=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
response_handle:headers():add("set-cookie", "IdToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
response_handle:headers():add("set-cookie", "OauthExpires=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
end
email = ""
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["code.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/code.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/code.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: photo_service
domains: ["photo.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_nas_photo", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["photo.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/photo.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/photo.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: password_service
domains: ["password.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_bitwarden_service"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["password.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/password.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/password.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: gitbucket_service
domains: ["gitbucket.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_git_bucket"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["gitbucket.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/gitbucket.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/gitbucket.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
upgrade_configs:
- upgrade_type: websocket
stream_idle_timeout: 0s
normalize_path: true
merge_slashes: true
route_config:
virtual_hosts:
- name: printer_service
domains: ["printer.jerxie.com"]
routes:
- match: { prefix: "/webcam" }
route: { prefix_rewrite: "/", cluster: "_3d_printer_camera", max_stream_duration: {grpc_timeout_header_max: 0s} }
- match: { prefix: "/" }
route: { cluster: "_3d_printer_console"}
http_filters:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: _auth_server
uri: auth.jerxie.com/token
timeout: 3s
authorization_endpoint: https://auth.jerxie.com/auth
redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
forward_bearer_token: true
credentials:
client_id: octoprint-portal
token_secret:
name: token
sds_config:
path: "/etc/envoy/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/envoy/hmac-secret.yaml"
# (Optional): defaults to 'user' scope if not provided
auth_scopes:
- openid
- email
# (Optional): set resource parameter for Authorization request
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
provider1:
remote_jwks:
http_uri:
uri: "https://auth.jerxie.com/keys"
cluster: _auth_server
timeout: 5s
cache_duration: 600s
from_headers:
- name: Authorization
value_prefix: "Bearer "
# from_cookies:
# - BearerToken
payload_in_metadata: jwt_payload
rules:
- match:
prefix: /
requires:
provider_name: provider1
- name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inline_code: |
email = ""
function envoy_on_request(request_handle)
email = ""
local meta = request_handle:streamInfo():dynamicMetadata()
for key, value in pairs(meta:get("envoy.filters.http.jwt_authn")) do
if key == "jwt_payload" then
for k, v in pairs(value) do
if k == "email" then
print("login octoprint: "..v)
email = v
request_handle:headers():add("ENVOY_AUTHENTICATED_USER", v)
end
end
end
end
end
function envoy_on_response(response_handle)
if email ~="" and email ~= "axieyangb@gmail.com" then
response_handle:logInfo("Got unauthorized user, return 403 for user " ..email)
response_handle:headers():add("set-cookie", "BearerToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
response_handle:headers():add("set-cookie", "OauthHMAC=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
response_handle:headers():add("set-cookie", "IdToken=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
response_handle:headers():add("set-cookie", "OauthExpires=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")
end
email = ""
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["printer.jerxie.com", "printer.local"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/printer.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/printer.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
upgrade_configs:
- upgrade_type: websocket
route_config:
virtual_hosts:
- name: camera_service
domains: ["camera.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_nas_camera"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["camera.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/camera.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/camera.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
virtual_hosts:
- name: note_service
domains: ["note.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_nas_note"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["note.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/note.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/note.jerxie.com/privkey.pem" }
# - filters:
# - name: envoy.filters.network.http_connection_manager
# typed_config:
# "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
# stat_prefix: ingress_http
# codec_type: AUTO
# route_config:
# virtual_hosts:
# - name: baby_service
# domains: ["baby.jerxie.com"]
# routes:
# - match: { prefix: "/" }
# route: { cluster: "_baby_buddy"}
# http_filters:
# - name: envoy.filters.http.router
# typed_config:
# "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
# filter_chain_match:
# server_names: ["baby.jerxie.com"]
# transport_socket:
# name: envoy.transport_sockets.tls
# typed_config:
# "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
# common_tls_context:
# tls_certificates:
# - certificate_chain: { filename: "/etc/certs/downstream/baby.jerxie.com/fullchain.pem" }
# private_key: { filename: "/etc/certs/downstream/baby.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
upgrade_configs:
- upgrade_type: websocket
codec_type: AUTO
route_config:
virtual_hosts:
- name: container_service
domains: ["container.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_portainer_ui"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["container.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/container.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/container.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
upgrade_configs:
- upgrade_type: websocket
codec_type: AUTO
route_config:
virtual_hosts:
- name: grafana_service
domains: ["grafana.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_grafana_ui"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["grafana.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/grafana.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/grafana.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
upgrade_configs:
- upgrade_type: websocket
codec_type: AUTO
route_config:
virtual_hosts:
- name: auth_service
domains: ["auth.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_auth_server"}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["auth.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/auth.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/auth.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
upgrade_configs:
- upgrade_type: websocket
codec_type: AUTO
route_config:
virtual_hosts:
- name: ai_service
domains: ["ai.jerxie.com"]
routes:
- match: { prefix: "/api" }
route: { cluster: "_ai_api_server", timeout: 0s}
- match: { prefix: "/" }
route: { cluster: "_ai_ui_server", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["ai.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/ai.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/ai.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
upgrade_configs:
- upgrade_type: websocket
codec_type: AUTO
route_config:
virtual_hosts:
- name: pcb_service
domains: ["pcb.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_pcb_server", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["pcb.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/pcb.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/pcb.jerxie.com/privkey.pem" }
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
upgrade_configs:
- upgrade_type: websocket
codec_type: AUTO
route_config:
virtual_hosts:
- name: monitor_service
domains: ["monitor.jerxie.com"]
routes:
- match: { prefix: "/" }
route: { cluster: "_monitor_server", timeout: 0s}
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
filter_chain_match:
server_names: ["monitor.jerxie.com"]
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain: { filename: "/etc/certs/downstream/monitor.jerxie.com/fullchain.pem" }
private_key: { filename: "/etc/certs/downstream/monitor.jerxie.com/privkey.pem" }
