juwan/juwan-backend
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
5 Commits 2 Branches 0 Tags
fdbcde13b2d83a46d8e43e347c107e43a4cf835e
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
wwweww fdbcde13b2 add:
2026-02-23 20:36:21 +08:00
.idea
add: envoy redis
2026-02-23 15:54:33 +08:00
app/users
add:
2026-02-23 20:36:21 +08:00
backup
add: envoy redis
2026-02-23 15:54:33 +08:00
common
add:
2026-02-23 20:36:21 +08:00
deploy
add:
2026-02-23 20:36:21 +08:00
desc
add:
2026-02-23 20:36:21 +08:00
docs
add:
2026-02-23 20:36:21 +08:00
.gitignore
del: DockerFile
2026-02-21 23:20:39 +08:00
ENVOY_GATEWAY_GUIDE.md
add:
2026-02-23 20:36:21 +08:00
go.mod
add: envoy redis
2026-02-23 15:54:33 +08:00
go.sum
add: envoy redis
2026-02-23 15:54:33 +08:00
Herebyfile.mjs
del: node modle
2026-02-21 23:19:15 +08:00
package-lock.json
firest commit
2026-02-21 22:48:40 +08:00
package.json
firest commit
2026-02-21 22:48:40 +08:00

docs/README.md

Envoy Gateway Configuration

This document explains how the Envoy gateway is configured and how to modify it.

Files

  • envoy.yaml: ConfigMap + Deployment + Service for Envoy

Current Behavior

  • Envoy listens on port 8080 in the Pod and exposes port 80 via a ClusterIP Service.
  • All HTTP traffic is routed to user-api only.
  • gRPC is not exposed by this gateway.

Routing

In envoy.yaml, routes are defined under:

static_resources -> listeners -> http_connection_manager -> route_config -> virtual_hosts

The current routing rules are:

  • All requests (prefix: "/") -> cluster: user-api

To add a new HTTP service, add a new route above the default route and define a new cluster.

Example: route /order to order-api-svc:8899

  1. Add a route match:
  • match: prefix: "/order" route: cluster: order-api
  1. Add a cluster:
  • name: order-api connect_timeout: 2s type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: order-api endpoints: - lb_endpoints: - endpoint: address: socket_address: address: order-api-svc.juwan.svc.cluster.local port_value: 8899

CSRF Protection

Envoy uses a Lua filter for CSRF validation:

  • Safe methods (GET/HEAD/OPTIONS):
    • If csrf_token cookie is missing, Envoy generates one and sets it in the response.
  • Unsafe methods (POST/PUT/PATCH/DELETE, etc):
    • Requires BOTH:
      • header: X-CSRF-Token
      • cookie: csrf_token
    • Values must match, otherwise Envoy returns 403.

If you want a different cookie name or header name, update these in the Lua code:

  • Header: x-csrf-token
  • Cookie: csrf_token

To relax or tighten rules, edit the functions:

  • is_safe(method)
  • envoy_on_request(request_handle)

Cookie Attributes

Current Set-Cookie:

csrf_token=; Path=/; SameSite=Strict

To add Secure or HttpOnly, update the string in envoy_on_response.

Deployment

Apply or update:

kubectl apply -f deploy/k8s/envoy/envoy.yaml

Common Changes

  • Change listening port:
    • Update listener port_value and Service targetPort/port.
  • Change service namespace:
    • Update cluster DNS addresses (e.g. service.ns.svc.cluster.local).
  • Add more services:
    • Add route + add cluster, as shown above.
Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 2.8 MiB
Languages
Go 81.3%
Python 14.2%
Shell 2.9%
JavaScript 0.8%
PLpgSQL 0.5%
Other 0.2%