.. _config_http_filters_ext_authz: External Authorization ====================== * External authorization :ref:`architecture overview ` * :ref:`HTTP filter v2 API reference ` The external authorization HTTP filter calls an external gRPC or HTTP service to check if the incoming HTTP request is authorized or not. If the request is deemed unauthorized then the request will be denied normally with 403 (Forbidden) response. Note that sending additional custom metadata from the authorization service to the upstream, to the downstream or to the authorization service is also possible. This is explained in more details at :ref:`HTTP filter `. .. tip:: It is recommended that this filter is configured first in the filter chain so that requests are authorized prior to the rest of filters processing the request. The content of the requests that are passed to an authorization service is specified by :ref:`CheckRequest `. .. _config_http_filters_ext_authz_http_configuration: The HTTP filter, using a gRPC/HTTP service, can be configured as follows. You can see all the configuration options at :ref:`HTTP filter `. Configuration Examples ----------------------------- A sample filter configuration for a gRPC authorization server: .. code-block:: yaml http_filters: - name: envoy.ext_authz config: grpc_service: envoy_grpc: cluster_name: ext-authz .. code-block:: yaml clusters: - name: ext-authz type: static http2_protocol_options: {} hosts: - socket_address: { address: 127.0.0.1, port_value: 10003 } A sample filter configuration for a raw HTTP authorization server: .. code-block:: yaml http_filters: - name: envoy.ext_authz config: http_service: server_uri: uri: 127.0.0.1:10003 cluster: ext-authz timeout: 0.25s failure_mode_allow: false .. code-block:: yaml clusters: - name: ext-authz connect_timeout: 0.25s type: logical_dns lb_policy: round_robin hosts: - socket_address: { address: 127.0.0.1, port_value: 10003 } Statistics ---------- The HTTP filter outputs statistics in the *cluster..ext_authz.* namespace. .. csv-table:: :header: Name, Type, Description :widths: 1, 1, 2 ok, Counter, Total responses from the filter. error, Counter, Total errors contacting the external service. denied, Counter, Total responses from the authorizations service that were to deny the traffic. failure_mode_allowed, Counter, "Total requests that were error(s) but were allowed through because of failure_mode_allow set to true."