我需要在外部 API 中解密请求的正文。 但是,当我尝试使用 lua 使用 EnvoyFilter 来执行此操作时,它不起作用。 如果我尝试使用我在此处发布的相同代码,但没有 HTTPS,则可以。但使用 HTTPS 返回 503。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: eva-decrypt-filter
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: ANY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
local buffered = request_handle:body()
local bodyString = tostring(buffered:getBytes(0, buffered:length()))
print("bodyString ->")
print(bodyString)
if string.match(bodyString, "valcirtest") then
print("iniciando http_Call")
local responseHeaders, responseBody = request_handle:httpCall(
"thirdparty",
{
[":method"] = "POST",
[":path"] = "/decrypt",
[":authority"] = "keycloack-dev-admin.eva.bot",
[":scheme"] = "https",
["content-type"] = "application/json",
["content-length"] = bodyString:len(),
},
bodyString,
3000)
print("acabou a requisicao")
print("responseHeaders -> ")
print(responseHeaders)
print(responseHeaders[":status"])
print("responseBody -> ")
print(responseBody)
local content_length = request_handle:body():setBytes(responseBody)
request_handle:headers():replace("content-length", content_length)
else
print("nao entrou")
end
end
- applyTo: CLUSTER
match:
context: SIDECAR_OUTBOUND
patch:
operation: ADD
value: # cluster specification
name: thirdparty
connect_timeout: 1.0s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: thirdparty
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
protocol: TCP
address: keycloack-dev-admin.eva.bot
port_value: 443
响应错误为:
503
responseBody ->
upstream connect error or disconnect/reset before headers. reset reason: connection termination
我正在使用 Istio v.1.11.4。
它应该在您的“第三方”集群上进行配置,并在集群配置中添加以下内容:
transport_socket:
name: envoy.transport_sockets.tls
要添加@koffi-kodjo的答案,您还需要指定
typed_configtransport_socketname: thirdparty transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
参考:
你可以这样做。
enter code here
kind: ServiceEntry
apiVersion: networking.istio.io/v1beta1
metadata:
name: externalhttps-se
namespace: istio-system
spec:
hosts:
- externalhttps.domain.com
ports:
- number: 443
protocol: HTTPS
name: http
targetPort: 443
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: externalhttps-dr
namespace: istio-system
spec:
host: externalhttps.domain.com
trafficPolicy:
portLevelSettings:
- port:
number: 443
tls:
mode: SIMPLE
sni: externalhttps.domain.com
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: externalhttps-ef
namespace: istio-system
spec:
workloadSelector:
labels:
istio: curity-ingress
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
defaultSourceCode:
inlineString: |
function envoy_on_request(request_handle)
local resp_headers, resp_body = request_handle:httpCall(
"outbound|443||externalhttps.domain.com",
{
[":method"] = "GET",
[":path"] = "/",
[":authority"] = "externalhttps.domain.com"
},
nil,
5000)
end