As the title says, I would like an HTTP filter to apply only if the request is for a certain URL path. Doing this at the route level is not possible, because my route is defined like this:
- match:
prefix: "/api/"
route:
cluster: some_backend_service
prefix_rewrite: "/"
But I would like to apply different (security related) filters for /api/foo than for /api/bar. I can't seem to find a way to do this looking at the documentation, is it even possible? Thanks.
The Composite Filter is exactly what you are looking for.
Please refer to this page:
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/composite_filter.html
An example: 3 Lua filters are configured in a composite filter, they are adding a response header "triggered" of value "action-1" for /get/action1, "action-2" for /get/action2, "no-match" for other paths
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: upstream
timeout: 1s
name: default_route
http_filters:
- name: composite
typed_config:
"@type": type.googleapis.com/envoy.extensions.common.matching.v3.ExtensionWithMatcher
extension_config:
name: composite
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.composite.v3.Composite
matcher:
on_no_match:
action:
name: action-no-match
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.composite.v3.ExecuteFilterAction
typed_config:
name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
end
function envoy_on_response(response_handle)
response_handle:headers():add("triggered", "no-match")
end
matcher_list:
matchers:
- predicate:
single_predicate:
input:
name: "action1-matcher"
typed_config:
"@type": type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput
header_name: :path
value_match:
prefix: /get/action1
ignore_case: true
on_match:
action:
name: composite-action-1
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.composite.v3.ExecuteFilterAction
typed_config:
name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
end
function envoy_on_response(response_handle)
response_handle:headers():add("triggered", "action-1")
end
- predicate:
single_predicate:
input:
name: "action2-matcher"
typed_config:
"@type": type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput
header_name: :path
value_match:
prefix: /get/action2
ignore_case: true
on_match:
action:
name: composite-action-2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.composite.v3.ExecuteFilterAction
typed_config:
name: envoy.filters.http.lua
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
end
function envoy_on_response(response_handle)
response_handle:headers():add("triggered", "action-2")
end
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: upstream
http2_protocol_options: {}
connect_timeout:
seconds: 10
type: STRICT_DNS
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
'@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
load_assignment:
cluster_name: upstream
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: httpbin.org
port_value: 443
lb_policy: ROUND_ROBIN
