由于漏洞扫描,检测到没有x-content-type-options请求头,或者多了无用的请求头,所以通过gateway与envoy代理中修改请求头。
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: custom-header-filter
namespace: istio-system # 根据需要更改
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_OUTBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
function envoy_on_request(handle)
handle:headers():add("X-Client-Pod-Ip", os.getenv("POD_IP"))
end
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.lua
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
inlineCode: |
function envoy_on_response(handle)
local headers = handle:headers()
local missing_header = "x-content-type-options"
if not headers:get(missing_header) then
headers:add("x-content-type-options", "nosniff")
end
headers:remove("server")
end
- applyTo: NETWORK_FILTER
match:
context: ANY
listener:
filterChain:
filter:
name: "envoy.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
server_header_transformation: PASS_THROUGH
第一个过滤器作用在pod的outbound流量上,出流量添加header
第二个过滤器作用在网关上,通过istio ingressgaway域名请求的服务添加response响应头
第三个过滤器是禁止envoy添加自己的头,服务的头什么样就是什么样