Denis Mishin
cb0e8aaf06
mcp: add oauth metadata endpoint ( #5579 )
2025-04-23 12:24:00 -04:00
Caleb Doxsey
dc9a6bdb81
replace xxhash with xxh3 ( #5457 )
...
* update config file paths hash
* update filemgr
* use xxh3 for hashutil.Hash
* update hashutil digest, fix trace buffer test
* update comments
* update namegen, go mod tidy
2025-01-31 08:44:08 -07:00
Joe Kralicky
396c35b6b4
New tracing system ( #5388 )
...
* update tracing config definitions
* new tracing system
* performance improvements
* only configure tracing in envoy if it is enabled in pomerium
* [tracing] refactor to use custom extension for trace id editing (#5420 )
refactor to use custom extension for trace id editing
* set default tracing sample rate to 1.0
* fix proxy service http middleware
* improve some existing auth related traces
* test fixes
* bump envoyproxy/go-control-plane
* code cleanup
* test fixes
* Fix missing spans for well-known endpoints
* import extension apis from pomerium/envoy-custom
2025-01-21 13:26:32 -05:00
Caleb Doxsey
71bcb4f28e
UDP support ( #5390 )
2024-12-11 13:07:31 -07:00
Joe Kralicky
ebd9eea30e
Optimize Policy RouteID ( #5359 )
2024-11-06 12:31:52 -05:00
Joe Kralicky
c8b6b8f1a9
config: only validate redirect response code when non-nil ( #5358 )
...
* config: only validate redirect response code when non-nil
* update unit tests
---------
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2024-11-05 15:57:59 -05:00
Kenneth Jenkins
3d958ff9c5
config: fix redirect response code ( #5346 )
2024-11-05 10:38:02 -08:00
Caleb Doxsey
075ea01b0a
core/config: allow websockets and spdy by default for k8s urls ( #5325 )
2024-10-10 17:55:34 -06:00
Kenneth Jenkins
498c3aa108
config: add support for TCP proxy chaining ( #5053 )
...
Add a distinction between TCP routes depending on whether the To URL(s)
have the scheme tcp://. For routes with a TCP upstream, configure Envoy
to terminate CONNECT requests and open a TCP tunnel to the upstream
service (this is the current behavior). For routes without a TCP
upstream, configure Envoy to proxy CONNECT requests to the upstream.
This new mode can allow an upstream proxy server to terminate a CONNECT
request and open its own TCP tunnel to the final destination server.
(Note that this will typically require setting the preserve_host_header
option as well.)
Note that this requires Envoy 1.30 or later.
2024-04-24 16:35:18 -07:00
Caleb Doxsey
513d8bf615
core/config: implement direct response ( #4960 )
...
* implement direct response
* proto
* fix tests
* update
2024-02-15 14:33:56 -07:00
Caleb Doxsey
55eb2fa3dc
core/authorize: result denied improvements ( #4952 )
...
* core/authorize: result denied improvements
* add authenticate robots.txt
* fix tests
2024-02-01 16:16:33 -07:00
Caleb Doxsey
3bdbd56222
core/config: add pass_identity_headers option ( #4720 )
...
* core/config: add pass_identity_headers option
* add to proto
* remove deprecated field
2023-11-08 13:07:37 -07:00
Caleb Doxsey
5be322e2ef
config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers ( #4219 )
...
* config: add support for $pomerium.id_token and $pomerium.access_token in set_request_headers
* lint
* Update authorize/evaluator/headers_evaluator_test.go
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
* fix spelling
---------
Co-authored-by: Denis Mishin <dmishin@pomerium.com>
2023-06-01 16:00:02 -06:00
Caleb Doxsey
a741cce50e
config: simplify default set response headers ( #4196 )
2023-05-30 17:44:06 -06:00
Caleb Doxsey
d315e68335
Merge pull request from GHSA-pvrc-wvj2-f59p
...
* authorize: use route id from envoy for policy evaluation
* authorize: normalize URL query params
* config: enable envoy normalize_path option
* fix tests
---------
Co-authored-by: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
2023-05-26 13:34:21 -07:00
Caleb Doxsey
e3b2b3994c
improve certificate matching performance ( #4186 )
2023-05-23 07:39:02 -06:00
Caleb Doxsey
18bc86d632
config: add support for wildcard from addresses ( #4131 )
...
* config: add support for wildcards
* update policy matching, header generation
* remove deprecated field
* fix test
2023-04-25 13:34:38 -06:00
Caleb Doxsey
bbed421cd8
config: remove source, remove deadcode, fix linting issues ( #4118 )
...
* remove source, remove deadcode, fix linting issues
* use github action for lint
* fix missing envoy
2023-04-21 17:25:11 -06:00
Caleb Doxsey
681cf6fa27
config: fix set_response_headers ( #4026 )
...
* config: fix set_response_headers
* fix disabling to support route headers when global headers are disabled
2023-04-20 17:07:23 -06:00
Caleb Doxsey
76a7ce3a6f
authorize: allow access to /.pomerium/webauthn when policy denies access ( #4015 )
2023-02-27 09:49:06 -07:00
Caleb Doxsey
c86ca6f76f
webauthn: require session when accessing /.pomerium/webauthn ( #3814 )
...
* webauthn: require session when accessing /.pomerium/webauthn
* remove dead code
* remove unusued PomeriumDomains field
2022-12-16 10:59:21 -07:00
Denis Mishin
fa0ba60aee
bump envoy to v1.24.0 ( #3767 )
2022-11-28 09:32:31 -07:00
Caleb Doxsey
fa26587f19
remove forward auth ( #3628 )
2022-11-23 15:59:28 -07:00
Caleb Doxsey
b435f73e2b
authenticate: fix debug and metrics endpoints ( #3212 )
2022-03-30 09:37:37 -06:00
Caleb Doxsey
c97dcf7e0f
envoy: add hash policy and routing key for hash-based load balancers ( #2791 )
...
* envoy: add hash policy and routing key for hash-based load balancers
* fix integration test
* fix nginx
2021-12-01 13:42:12 -07:00
Caleb Doxsey
a5034aabae
authenticate: redirect / to /.pomerium/ ( #2770 )
2021-11-18 08:49:23 -07:00
wasaga
3073146ff2
fix: timeout field in protobuf, add websocket tests
2021-07-07 12:06:56 -04:00
wasaga
134ca74ec9
proxy: add idle timeout ( #2319 )
2021-07-02 10:29:53 -04:00
Caleb Doxsey
2156dbc553
envoy: always set jwt claim headers even if no value is available ( #2261 )
...
* envoy: always set jwt claim headers even if no value is available
* add test
2021-06-04 10:01:00 -07:00
Caleb Doxsey
1dcccf2b56
envoy: refactor controlplane xds to new envoyconfig package ( #2086 )
2021-04-13 13:51:44 -06:00
