AN
antonengelhardt/basic-auth-plugin
A plugin for Envoy, written in Rust, that implements basic authentication and stores it in an encrypted cookie to persist across browser sessions.
basic-auth-plugin
A proxy-wasm plugin for Envoy that implements basic authentication. Allowed users can pass through and access the service. The authorization is stored in an encrypted cookie which makes it persistent across sessions.
Install
Install Toolchain for WASM in Rust
For developing the Rust Toolchain has to be installed and the WASM target has to be enabled. E.g. for Ubuntu this can be achieved by:
# Install Build essentials
apt install build-essential
# Install Rustup
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Enable WASM compilation target
cargo build --target wasm32-wasip1 --releaseRun
Shortcut (make sure to have make installed):
make runDetailed variant
- Building the plugin:
cargo build --target wasm32-wasip1 --release
# or
make build- Testing locally with Envoy (docker and docker-compose are needed):
docker compose up- Requests to the locally running envoy with the plugin enabled:
curl localhost:10000Configuration
The plugin is configured via the envoy.yaml-file. The following configuration options are required:
| Name | Type | Description | Example | Required |
|---|---|---|---|---|
allowed_users |
Object | A list of allowed username/password combinations. | See below | ✅ |
cookie_name |
String | Name of the Session and Nonce cookie. | basic-auth-session |
✅ |
cookie_duration |
u64 | A number of seconds that the cookie should live for. | 86400 | ✅ |
aes_key |
String | A base64-encoded AES-Key of 32 bits, generate with openssl rand -base64 32 |
g00nv8nuZfNrqc99OKUOqCCatepmscgSeX70nYq4Xdo= | ✅ |
The allowed_users key expects a list of username/password combinations, like so:
allowed_users:
- username: user1
password: password123On this page
Languages
Rust94.1%Dockerfile3.0%Makefile3.0%
Contributors
Apache License 2.0
Created November 16, 2024
Updated January 8, 2025