That's probably the best option at this time. Does the istio sidecar provide an "Forwarded" or 'X-Forwarded-For" header? I'm working on an experimental plugin that could do what you have with header_rewrite or use such a header to do the check.
Are the inbound connections TLS only, plaintext, or a mix? On Mon, Jul 27, 2020 at 12:16 AM Cameron Braid <[email protected]> wrote: > I found a workaround using header_rewrite plugin > > cond %{READ_REQUEST_HDR_HOOK} [AND] > cond %{METHOD} =PURGE [AND] > cond %{CLIENT-HEADER:x-some-header} =somesecret [AND,NOT] > set-status 403 > > > On Mon, 27 Jul 2020 at 14:22, Cameron Braid <[email protected]> > wrote: > >> Hi, >> >> I am running ats in a kubernetes cluster with istio. The ip based rules >> are not usable in this configuration as every connection comes from >> 127.0.0.1 due to the traffic originating from the istio sidecar proxy >> >> I would like to block access to PURGE requests from the public at large, >> but allow it from an internal service. Is there an alternative way to >> achieve this ? >> >> Cheers >> >> Cameron >> >> >>
