Docs right arrow Edge Stack2.2External Filter

5 min • read

External Filter

The External Filter calls out to an external service speaking the ext_authz protocol, providing a highly flexible interface to plug in your own authentication, authorization, and filtering logic.

Example

The External spec is identical to the AuthService spec, with the following exceptions:

In an AuthService, the tls field must be a string referring to a TLSContext. In an External Filter, it may only be a Boolean; referring to a TLSContext is not supported.
In an AuthService, the default value of the add_linkerd_headers field is based on the ambassadorModule. In an External Filter, the default value is always false.
External Filters lack the stats_name, protocol_version, and add_auth_headers fields that AuthServices have.

Fields

auth_service is the only required field, all others are optional.

Attribute	Default value	Description
`auth_service`	(none; a value is required)	Identifies the external auth service to talk to. The format of this field is `scheme://host:port` where `scheme://` and `:port` are optional. The scheme-part, if present, must be either `http://` or `https://`; if the scheme-part is not present, it behaves as if `http://` is given. The scheme-part influences the default value of the `tls` field and the default value of the port-part. The host-part must be the namespace-qualified DNS name of the service you want to use for authentication.
`tls`	`true` if `auth_service` starts with "https://"	Controls whether to use TLS or cleartext when speaking to the external auth service. The default is based on the scheme-part of the `auth_service`.
`proto`	`http`	Specifies which variant of the `ext_authz` protocol to use when communicating with the external auth service. Valid options are `http` or `grpc`.
`timeout_ms`	`5000`	The total maximum duration in milliseconds for the request to the external auth service, before triggering `status_on_error` or `failure_mode_allow`.
`include_body`	`null`	Controls how much to buffer the request body to pass to the external auth service, for use cases such as computing an HMAC or request signature. If `include_body` is `null` or unset, then the request body is not buffered at all, and an empty body is passed to the external auth service. If `include_body` is not `null`, the `max_bytes` and `allow_partial` subfields are required. Unfortunately, in order for `include_body` to function properly, the `AuthService` in `aes.yaml` must be edited to have `include_body` set with `max_bytes` greater than the largest `max_bytes` used by any `External` `Filter` (so if an `External` `Filter` has `max_bytes: 4096`, then the `AuthService` will need `max_bytes: 4097`), and `allow_partial: true`.
`include_body.max_bytes`	(none; a value is required if `include_body` is not `null`)	Controls the amount of body data that is passed to the external auth service.
`include_body.allow_partial`	(none; a value is required if `include_body` is not `null`)	Controls what happens to requests with bodies larger than `max_bytes`. If `allow_partial` is `true`, the first `max_bytes` of the body are sent to the external auth service. If `false`, the message is rejected with HTTP 413 ("Payload Too Large").
`status_on_error.code`	`403`	Controls the status code returned when unable to communicate with external auth service. This is ignored if `failure_mode_allow: true`.
`failure_mode_allow`	`false`	Controls whether to allow or reject requests when there is an error communicating with the external auth service; a value of `true` allows the request through to the upstream backend service, a value of `false` returns a `status_on_error.code` response to the client.

The following fields are only used if proto is set to http. They are ignored if proto is grpc.

Attribute	Default value	Description
`path_prefix`	`""`	Prepends a string to the request path of the request when sending it to the external auth service. By default this is empty, and nothing is prepended. For example, if the client makes a request to `/foo`, and `path_prefix: /bar`, then the path in the request made to the external auth service will be `/foo/bar`.
`allowed_request_headers`	`[]`	Lists the headers (case-insensitive) that are copied from the incoming request to the request made to the external auth service. In addition to the headers listed in this field, the following headers are always included: `Authorization`, `Cookie`, `From`, `Proxy-Authorization`, `User-Agent`, `X-Forwarded-For`, `X-Forwarded-Host`, and `X-Forwarded-Proto`.
`allowed_authorization_headers`	`[]`	Lists the headers (case-insensitive) that are copied from the response from the external auth service to the request sent to the upstream backend service (if the external auth service indicates that the request to the upstream backend service should be allowed). In addition to the headers listed in this field, the following headers are always included: `Authorization`, `Location`, `Proxy-Authenticate`, `Set-cookie`, `WWW-Authenticate`
`add_linkerd_headers`	`false`	When true, in the request to the external auth service, adds an `l5d-dst-override` HTTP header that is set to the hostname and port number of the external auth service.

ON THIS PAGE

Example
Fields

.css-1e2dcm1{z-index:1500;pointer-events:none;}.css-okvapm{z-index:1500;pointer-events:none;}External Filter

.css-1e2dcm1{z-index:1500;pointer-events:none;}.css-okvapm{z-index:1500;pointer-events:none;}Example

.css-1e2dcm1{z-index:1500;pointer-events:none;}.css-okvapm{z-index:1500;pointer-events:none;}Fields

External Filter

Example

Fields