juwan/juwan-backend
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
300058ad01b291e1177f66c2922db8811dcf0ad0
juwan-backend/deploy/envoy/envoy.yaml
T
wwweww fdbcde13b2 add:
2026-02-23 20:36:21 +08:00

386 lines
15 KiB
YAML
Raw Blame History

static_resources:
listeners:
# HTTP 监听器(重定向到 HTTPS)
- name: listener_http
address:
socket_address:
address: 0.0.0.0
port_number: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
http_filters:
# CSRF 防护过滤器
- name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
stat_prefix: http_local_rate_limiter
token_bucket:
max_tokens: 1000
tokens_per_fill: 1000
fill_interval: 1s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
filter_enforced:
runtime_key: local_rate_limit_enforced
default_value:
numerator: 100
denominator: HUNDRED
# 路由过滤器
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: local_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
# 登录端点 - 不需要 JWT
- match:
path: /api/v1/users/login
headers:
- name: ":method"
string_match:
exact: "POST"
route:
cluster: user_api_cluster
timeout: 30s
# 注册端点 - 不需要 JWT
- match:
path: /api/v1/users/register
headers:
- name: ":method"
string_match:
exact: "POST"
route:
cluster: user_api_cluster
timeout: 30s
# 其他所有用户 API 端点 - 需要 JWT
- match:
prefix: /api/v1/users
headers:
- name: ":method"
string_match:
exact: "GET"
route:
cluster: user_api_cluster
timeout: 30s
request_headers_to_add:
- header:
key: "x-verified-user"
value: "%REQ(X-USER-ID)%"
# 订单 API - 需要 JWT
- match:
prefix: /api/v1/orders
route:
cluster: order_api_cluster
timeout: 30s
request_headers_to_add:
- header:
key: "x-verified-user"
value: "%REQ(X-USER-ID)%"
# 健康检查端点
- match:
path: /health
route:
cluster: user_api_cluster
timeout: 10s
# 默认路由
- match:
prefix: /
route:
cluster: user_api_cluster
timeout: 30s
direct_response:
status: 404
body:
inline_string: "Not Found"
# HTTPS 监听器(需要配置 TLS 证书)
- name: listener_https
address:
socket_address:
address: 0.0.0.0
port_number: 8443
filter_chains:
- transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /etc/envoy/certs/tls.crt
private_key:
filename: /etc/envoy/certs/tls.key
filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_https
access_log:
- name: envoy.access_loggers.file
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
path: /var/log/envoy/access.log
format: |
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT%
"%DURATION%" "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
"%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"
http_filters:
# JWT 验证过滤器
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
jwt_provider:
issuer: "juwan-user-rpc"
audiences: "api.juwan.local"
# 本地验证(离线模式)- 需要在 ConfigMap 中配置公钥
local_jwks:
inline_string: |
{
"keys": [
{
"kty": "oct",
"k": "YOUR-BASE64-ENCODED-SECRET-KEY"
}
]
}
# 也可以使用远程 JWKS(更推荐)
# remote_jwks:
# http_uri:
# uri: "http://user-rpc-svc:9001/.well-known/jwks.json"
# cluster: user_rpc_cluster
# timeout: 5s
# cache_ttl:
# seconds: 300
# payload_in_metadata: "JWT_PAYLOAD"
rules:
# 不需要验证的路由
- match:
prefix: /api/v1/users/login
allow_missing_or_failed: true
- match:
prefix: /api/v1/users/register
allow_missing_or_failed: true
- match:
path: /health
allow_missing_or_failed: true
# 所有其他路由都需要有效的 JWT
- match:
prefix: /
requires:
provider_name: jwt_provider
# CSRF 防护过滤器
- name: envoy.filters.http.csrf
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.csrf.v3.CsrfPolicy
filter_enabled:
default_value:
numerator: 100
denominator: HUNDRED
runtime_key: csrf_filter_enabled
shadow_enabled:
default_value:
numerator: 0
denominator: HUNDRED
runtime_key: csrf_filter_shadow_enabled
additional_origins:
- exact: "https://admin.juwan.local"
ignore_method_matches:
- google_re2:
regex: "^(GET|HEAD|OPTIONS|TRACE)$"
# 代理验证过滤器(可选 - 调用 RPC 验证 token 黑名单)
# - name: envoy.filters.http.ext_authz
# typed_config:
# "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
# grpc_service:
# envoy_grpc:
# cluster_name: user_rpc_cluster
# failure_mode_allow: false
# with_request_body:
# max_request_bytes: 8192
# allow_partial_message: false
# 本地速率限制(DDOS 防护)
- name: envoy.filters.http.local_ratelimit
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
stat_prefix: https_local_rate_limiter
token_bucket:
max_tokens: 10000
tokens_per_fill: 10000
fill_interval: 1s
filter_enabled:
runtime_key: local_rate_limit_enabled
default_value:
numerator: 100
denominator: HUNDRED
# 路由过滤器
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: https_route
virtual_hosts:
- name: backend
domains: ["*"]
routes:
# 登录和注册不需要 JWT
- match:
path: /api/v1/users/login
headers:
- name: ":method"
string_match:
exact: "POST"
route:
cluster: user_api_cluster
timeout: 30s
- match:
path: /api/v1/users/register
headers:
- name: ":method"
string_match:
exact: "POST"
route:
cluster: user_api_cluster
timeout: 30s
# 用户 API(带 JWT 验证)
- match:
prefix: /api/v1/users
route:
cluster: user_api_cluster
timeout: 30s
request_headers_to_add:
- header:
key: "x-verified-user"
value: "%REQ(X-USER-ID)%"
# 订单 API(带 JWT 验证)
- match:
prefix: /api/v1/orders
route:
cluster: order_api_cluster
timeout: 30s
request_headers_to_add:
- header:
key: "x-verified-user"
value: "%REQ(X-USER-ID)%"
# 健康检查
- match:
path: /health
route:
cluster: user_api_cluster
timeout: 10s
# 默认路由
- match:
prefix: /
direct_response:
status: 404
body:
inline_string: "Not Found"
clusters:
# User API 集群
- name: user_api_cluster
connect_timeout: 10s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: user_api_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: user-api-svc
port_number: 8888
health_checks:
- timeout: 5s
interval: 10s
unhealthy_threshold: 2
healthy_threshold: 2
http_health_check:
path: /health
expected_statuses:
- start: 200
end: 299
# Order API 集群
- name: order_api_cluster
connect_timeout: 10s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: order_api_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: order-api-svc
port_number: 8889
health_checks:
- timeout: 5s
interval: 10s
unhealthy_threshold: 2
healthy_threshold: 2
http_health_check:
path: /health
expected_statuses:
- start: 200
end: 299
# User RPC 集群(用于 ext_authz 调用)
- name: user_rpc_cluster
connect_timeout: 10s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: user_rpc_cluster
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: user-rpc-svc
port_number: 9001
http2_protocol_options: {}
admin:
address:
socket_address:
address: 0.0.0.0
port_number: 9901
Reference in New Issue View Git Blame Copy Permalink