Istio Ingress 针对指定 Host 设定 HTTP Basic 认证

By | 2 2 月, 2025
50 Comments

针对一些没有认证又需要开放到公网的服务,可以在 Istio Ingress 的请求过程中增加一个 Lua 脚本来进行简单的认证流程。

下面的 Basic xxxx 替换成实际的用户名密码(base64(username:password)),host:find(“xxxx.xxx.com”) 替换成实际需要增加认证的 Host 域名:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: istio-basic-auth-lua
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: ANY
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.lua
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inline_code: |
            function envoy_on_request(request_handle)
              local host = request_handle:headers():get("host")
              if host and host:find("xxxx.xxx.com") then
                local auth = request_handle:headers():get("authorization")
                local expected_auth = "Basic xxxx"
                if auth == nil or auth ~= expected_auth then
                  request_handle:respond(
                    {
                      [":status"] = "401",
                      ["www-authenticate"] = 'Basic realm="Restricted"'
                    },
                    "Unauthorized"
                  )
                end
              end
            end

50 thoughts on “Istio Ingress 针对指定 Host 设定 HTTP Basic 认证

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注