Complete Example
This is a complete example of Envoy and HUMAN Callout Enforcer.
We have the following test setup:
- Envoy listens on 10.0.0.1:8080
- HUMAN Callout Enforcer is on 10.0.0.1:50051
- A protected web server is www.envoyproxy.io:443
- Complete Envoy configuration (
envoy.yamlfile):
static_resources:
listeners:
- name: listener_0
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
scheme_header_transformation:
scheme_to_overwrite: https
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
host_rewrite_literal: www.envoyproxy.io
cluster: service_envoyproxy_io
http_filters:
- name: envoy.filters.http.ext_proc
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor
grpc_service:
envoy_grpc:
cluster_name: px_callout_cluster
timeout: 3s
failure_mode_allow: false
allow_mode_override: true
message_timeout: 3s
processing_mode:
request_header_mode: "SEND"
response_header_mode: "SEND"
request_body_mode: "NONE"
response_body_mode: "NONE"
request_trailer_mode: "SKIP"
response_trailer_mode: "SKIP"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: service_envoyproxy_io
connect_timeout: 30s
type: LOGICAL_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: service_envoyproxy_io
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: www.envoyproxy.io
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: www.envoyproxy.io
- name: px_callout_cluster
type: STRICT_DNS
lb_policy: ROUND_ROBIN
connect_timeout: 1s
http2_protocol_options: {}
load_assignment:
cluster_name: px_callout_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 10.0.0.2
port_value: 50051
health_checks:
- timeout: 1s
interval: 1s
unhealthy_threshold: 1
healthy_threshold: 1
reuse_connection: true
tls_options:
alpn_protocols: ["h2"]
grpc_health_check:
service_name: health_check
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
- Run Envoy:
docker run --rm \
-p 8080:8080 \
--mount type=bind,source="$(pwd)"/envoy.yaml,target=/etc/envoy/envoy.yaml \
--config-path /etc/envoy/envoy.yaml \
-l info \
envoyproxy/envoy:v1.29-latest
- An example of HUMAN Callout Enforcer configuration (
pxconf.jsonfile):
{
"px_appId": "--REPLACE--",
"px_cookie_secret": "--REPLACE--",
"px_auth_token": "--REPLACE--",
"px_whitelist_uri_full": ["/test", "/abc"],
"px_block_enabled": true,
"px_score_header_enabled": true,
"px_score_header_name": "x-px-score"
}
- Run HUMAN Callout Enforcer:
docker run --rm \
-p 50051:50051
--mount type=bind,source="$(pwd)"/pxconf.json,target=/etc/pxconf.json,readonly \
perimeterx/px-callout-enforcer:latest
- To test the new setup, open
http://10.0.0.1:8080/address in a web browser (enable "PhantomJS" UA), you should see HUMAN Captcha page:
Updated 12 days ago