Status Quo: We are using envoyproxy for filtering timed-out (and thus unauthorized) traffic with a status 401 to redirect to login.domain.tld on all .*\\.domain\\.de(:3000)?
Thus, in envoy.yaml,
inline_code: |
function envoy_on_response(response_handle)
if response_handle:headers():get(":status") == "401" then
response_handle:headers():replace(":status", "301")
response_handle:headers():replace("location", "https://login.domain.tld")
end
end
Example code: https://github.com/envoyproxy/envoy/blob/main/examples/lua/envoy.yaml#L30-L39,
YAML-path: static_resources.listeners:.address.filter_chains.filters.'envoy.http_connection_manager'.config.http_filters.'envoy.lua'config.inline_code
Issue now, we want to change the redirect from all subdomains only to one. This is simply done adding a condition into the code above, we assumed.
Why? We have many subdomains in ranges, e.g. api-{000..999}.domain.tld, all of which are REST apis which in case of lack of AUTH shall not redirect.
Tried solution: We assumed, reading documentation, https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/lua_filter#requestedservername would solve it, thus adding a second condition:
inline_code: |
function envoy_on_request(request_handle)
local SNI = request_handle:streamInfo():requestedServerName()
end
function envoy_on_response(response_handle)
local SNI_str = tostring(SNI)
local MATCH_str = "app.domain.tld"
if response_handle:headers():get(":status") == "401" and string.find(SNI_str,MATCH_str) then
response_handle:headers():replace(":status", "301")
response_handle:headers():replace("location", "https://login.domain.tld")
end
end
Sadly code above does not work, the object request_handle:streamInfo():requestedServerName() seems empty or non-existing.
Question:
- What object can we use to get the SNI from our request and turn it into a string type?
- If that is not an option, how do we differentiate between domains for redirects? More filtering?
Versions:
Docker image envoyproxy/envoy:v1.16.2
