tall-angle-41306
04/20/2022, 5:00 PMupstream
requests on Oathkeeper?
Oathkeeper doesn't seem to be handling strip_path
on the rules
For example;
"upstream": {
"url": "<http://account.dev.svc.cluster.local>",
"strip_path": "/account",
}
The access log for the account
service above is then showing request_path":"/account/api/schema.json"
which of course returns a 404 as the actual path should be /api/schema.json
- the /account
should be stripped as per the upstream config above.tall-angle-41306
04/21/2022, 8:36 AMtall-angle-41306
04/21/2022, 8:38 AM[
{
"upstream": {
"url": "<http://account.dev.svc.cluster.local>",
"strip_path": "/account",
"preserve_host": false
},
"id": "dev-account-allow.auth",
"match": {
"url": "<http|https>://dev.foo.io/account/<.*>",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH"
]
},
"authenticators": [
{
"handler": "anonymous"
}
],
"authorizer": {
"handler": "allow"
}
}
]
A request to <https://dev.foo.io/account/api/schema.json>
should result in an upstream request to <http://account.dev.svc.cluster.local/api/schema.json>
I can confirm that the above rule matches fine, but the upstream service receives a request of <http://account.dev.svc.cluster.local/account/api/schema.json>
steep-lamp-91158
tall-angle-41306
04/21/2022, 8:54 AMv0.38.19-beta.1
steep-lamp-91158
steep-lamp-91158
preserve_host
to true? I could only find examples that I know work with preserve_host
being truetall-angle-41306
04/21/2022, 9:06 AMpreserve_host: true
- We're not actually setting that, false
is the default that's being settall-angle-41306
04/21/2022, 9:15 AMpreserve_host: true
doesn't change the behavioursteep-lamp-91158
steep-lamp-91158
tall-angle-41306
04/21/2022, 9:25 AMtall-angle-41306
04/21/2022, 9:26 AMsteep-lamp-91158
tall-angle-41306
04/21/2022, 12:55 PMsteep-lamp-91158
tall-angle-41306
04/21/2022, 1:39 PMupstream
gets ignored. You can pass through any values you want in oathkeeper upstream
and they're ignored. (eg if I do an upstream.url: <http://foo.com>
which is invalid and should fail, the request still ends up at the intended destination.
I think what is happening is Istio runs the filters from EnvoyFilter, calls /decisions
to determine if the request can pass, and then envoy sends the request down the original intended route (rather than oathkeeper proxying the request)steep-lamp-91158
worried-kitchen-94392
04/21/2022, 2:25 PMtall-angle-41306
04/21/2022, 3:31 PMtall-angle-41306
04/21/2022, 6:00 PMupstream.strip_path
the path rewrite is now being handled within a Istio VirtualServicetall-angle-41306
04/21/2022, 6:01 PM