static_resources: listeners: # HTTP 监听器(重定向到 HTTPS) - name: listener_http address: socket_address: address: 0.0.0.0 port_number: 8080 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http http_filters: # CSRF 防护过滤器 - name: envoy.filters.http.local_ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit stat_prefix: http_local_rate_limiter token_bucket: max_tokens: 1000 tokens_per_fill: 1000 fill_interval: 1s filter_enabled: runtime_key: local_rate_limit_enabled default_value: numerator: 100 denominator: HUNDRED filter_enforced: runtime_key: local_rate_limit_enforced default_value: numerator: 100 denominator: HUNDRED # 路由过滤器 - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router route_config: name: local_route virtual_hosts: - name: backend domains: ["*"] routes: # 登录端点 - 不需要 JWT - match: path: /api/v1/users/login headers: - name: ":method" string_match: exact: "POST" route: cluster: user_api_cluster timeout: 30s # 注册端点 - 不需要 JWT - match: path: /api/v1/users/register headers: - name: ":method" string_match: exact: "POST" route: cluster: user_api_cluster timeout: 30s # 其他所有用户 API 端点 - 需要 JWT - match: prefix: /api/v1/users headers: - name: ":method" string_match: exact: "GET" route: cluster: user_api_cluster timeout: 30s request_headers_to_add: - header: key: "x-verified-user" value: "%REQ(X-USER-ID)%" # 订单 API - 需要 JWT - match: prefix: /api/v1/orders route: cluster: order_api_cluster timeout: 30s request_headers_to_add: - header: key: "x-verified-user" value: "%REQ(X-USER-ID)%" # 健康检查端点 - match: path: /health route: cluster: user_api_cluster timeout: 10s # 默认路由 - match: prefix: / route: cluster: user_api_cluster timeout: 30s direct_response: status: 404 body: inline_string: "Not Found" # HTTPS 监听器(需要配置 TLS 证书) - name: listener_https address: socket_address: address: 0.0.0.0 port_number: 8443 filter_chains: - transport_socket: name: envoy.transport_sockets.tls typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext common_tls_context: tls_certificates: - certificate_chain: filename: /etc/envoy/certs/tls.crt private_key: filename: /etc/envoy/certs/tls.key filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_https access_log: - name: envoy.access_loggers.file typed_config: "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog path: /var/log/envoy/access.log format: | [%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% "%DURATION%" "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" http_filters: # JWT 验证过滤器 - name: envoy.filters.http.jwt_authn typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication providers: jwt_provider: issuer: "juwan-user-rpc" audiences: "api.juwan.local" # 本地验证(离线模式)- 需要在 ConfigMap 中配置公钥 local_jwks: inline_string: | { "keys": [ { "kty": "oct", "k": "YOUR-BASE64-ENCODED-SECRET-KEY" } ] } # 也可以使用远程 JWKS(更推荐) # remote_jwks: # http_uri: # uri: "http://user-rpc-svc:9001/.well-known/jwks.json" # cluster: user_rpc_cluster # timeout: 5s # cache_ttl: # seconds: 300 # payload_in_metadata: "JWT_PAYLOAD" rules: # 不需要验证的路由 - match: prefix: /api/v1/users/login allow_missing_or_failed: true - match: prefix: /api/v1/users/register allow_missing_or_failed: true - match: path: /health allow_missing_or_failed: true # 所有其他路由都需要有效的 JWT - match: prefix: / requires: provider_name: jwt_provider # CSRF 防护过滤器 - name: envoy.filters.http.csrf typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.csrf.v3.CsrfPolicy filter_enabled: default_value: numerator: 100 denominator: HUNDRED runtime_key: csrf_filter_enabled shadow_enabled: default_value: numerator: 0 denominator: HUNDRED runtime_key: csrf_filter_shadow_enabled additional_origins: - exact: "https://admin.juwan.local" ignore_method_matches: - google_re2: regex: "^(GET|HEAD|OPTIONS|TRACE)$" # 代理验证过滤器(可选 - 调用 RPC 验证 token 黑名单) # - name: envoy.filters.http.ext_authz # typed_config: # "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz # grpc_service: # envoy_grpc: # cluster_name: user_rpc_cluster # failure_mode_allow: false # with_request_body: # max_request_bytes: 8192 # allow_partial_message: false # 本地速率限制(DDOS 防护) - name: envoy.filters.http.local_ratelimit typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit stat_prefix: https_local_rate_limiter token_bucket: max_tokens: 10000 tokens_per_fill: 10000 fill_interval: 1s filter_enabled: runtime_key: local_rate_limit_enabled default_value: numerator: 100 denominator: HUNDRED # 路由过滤器 - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router route_config: name: https_route virtual_hosts: - name: backend domains: ["*"] routes: # 登录和注册不需要 JWT - match: path: /api/v1/users/login headers: - name: ":method" string_match: exact: "POST" route: cluster: user_api_cluster timeout: 30s - match: path: /api/v1/users/register headers: - name: ":method" string_match: exact: "POST" route: cluster: user_api_cluster timeout: 30s # 用户 API(带 JWT 验证) - match: prefix: /api/v1/users route: cluster: user_api_cluster timeout: 30s request_headers_to_add: - header: key: "x-verified-user" value: "%REQ(X-USER-ID)%" # 订单 API(带 JWT 验证) - match: prefix: /api/v1/orders route: cluster: order_api_cluster timeout: 30s request_headers_to_add: - header: key: "x-verified-user" value: "%REQ(X-USER-ID)%" # 健康检查 - match: path: /health route: cluster: user_api_cluster timeout: 10s # 默认路由 - match: prefix: / direct_response: status: 404 body: inline_string: "Not Found" clusters: # User API 集群 - name: user_api_cluster connect_timeout: 10s type: STRICT_DNS dns_lookup_family: V4_ONLY lb_policy: ROUND_ROBIN load_assignment: cluster_name: user_api_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: user-api-svc port_number: 8888 health_checks: - timeout: 5s interval: 10s unhealthy_threshold: 2 healthy_threshold: 2 http_health_check: path: /health expected_statuses: - start: 200 end: 299 # Order API 集群 - name: order_api_cluster connect_timeout: 10s type: STRICT_DNS dns_lookup_family: V4_ONLY lb_policy: ROUND_ROBIN load_assignment: cluster_name: order_api_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: order-api-svc port_number: 8889 health_checks: - timeout: 5s interval: 10s unhealthy_threshold: 2 healthy_threshold: 2 http_health_check: path: /health expected_statuses: - start: 200 end: 299 # User RPC 集群(用于 ext_authz 调用) - name: user_rpc_cluster connect_timeout: 10s type: STRICT_DNS dns_lookup_family: V4_ONLY lb_policy: ROUND_ROBIN load_assignment: cluster_name: user_rpc_cluster endpoints: - lb_endpoints: - endpoint: address: socket_address: address: user-rpc-svc port_number: 9001 http2_protocol_options: {} admin: address: socket_address: address: 0.0.0.0 port_number: 9901