HTTP 过滤器 - Jimmy Song

HTTP 过滤器在 HTTP 消息级别处理流量，提供丰富的功能扩展。

CORS 过滤器

基本配置

http_filters:
- name: envoy.filters.http.cors
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
    allow_origin_string_match:
    - prefix: "*"
    allow_methods: "GET, POST, PUT, DELETE, OPTIONS"
    allow_headers: "content-type, authorization"
    expose_headers: "x-custom-header"
    allow_credentials: true
    max_age: "86400"

高级 CORS 配置

- name: envoy.filters.http.cors
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
    allow_origin_string_match:
    - exact: "https://example.com"
    - prefix: "https://api.example.com"
    - safe_regex:
        google_re2: {}
        regex: "^https://.*\\.example\\.com$"
    allow_methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
    allow_headers: "content-type, authorization, x-requested-with"
    expose_headers: "x-custom-header, x-total-count"
    allow_credentials: true
    max_age: "86400"
    allow_private_network_access: true

CSRF 过滤器

基本配置

http_filters:
- name: envoy.filters.http.csrf
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.csrf.v3.CsrfPolicy
    filter_enabled:
      default_value:
        numerator: 100
        denominator: HUNDRED
    shadow_enabled:
      default_value:
        numerator: 0
        denominator: HUNDRED
    additional_origins:
    - exact: "https://trusted-site.com"
    - prefix: "https://trusted-api.com"

健康检查过滤器

基本配置

http_filters:
- name: envoy.filters.http.health_check
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
    pass_through_mode: false
    headers:
    - name: ":path"
      string_match:
        exact: "/health"
    - name: "x-health-check"
      string_match:
        exact: "1"

高级健康检查

- name: envoy.filters.http.health_check
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
    pass_through_mode: false
    headers:
    - name: ":path"
      string_match:
        exact: "/health"
    - name: "x-health-check"
      string_match:
        exact: "1"
    cluster_min_healthy_percentages:
      service_cluster:
        value: 75.0
    headers_to_add:
    - header:
        key: "x-health-check-time"
        value: "%START_TIME%"

JWT 认证过滤器

基本配置

http_filters:
- name: envoy.filters.http.jwt_authn
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
    providers:
      example_provider:
        issuer: "https://example.com"
        audiences:
        - "api.example.com"
        forward_payload_header: "x-jwt-payload"
        from_headers:
        - name: "Authorization"
          value_prefix: "Bearer "
        remote_jwks:
          http_uri:
            uri: "https://example.com/.well-known/jwks.json"
            cluster: "jwks_cluster"
        forward: true
    rules:
    - match:
        prefix: "/api"
      requires:
        provider_name: "example_provider"

JWT 验证规则

rules:
- match:
    prefix: "/public"
  requires:
    allow_missing_or_failed: true
- match:
    prefix: "/api"
  requires:
    provider_name: "example_provider"
- match:
    prefix: "/admin"
  requires:
    requires_all:
      requirements:
      - provider_name: "example_provider"
      - provider_name: "admin_provider"

外部认证过滤器

基本配置

http_filters:
- name: envoy.filters.http.ext_authz
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
    transport_api_version: V3
    grpc_service:
      envoy_grpc:
        cluster_name: ext_authz
      timeout: 0.5s
    failure_mode_allow: false
    with_request_body:
      max_request_bytes: 8192
      allow_partial_message: true

HTTP 外部认证

- name: envoy.filters.http.ext_authz
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
    transport_api_version: V3
    http_service:
      server_uri:
        uri: "http://auth-service:8080/auth"
        cluster: "auth_service"
        timeout: 0.5s
      authorization_request:
        allowed_headers:
          patterns:
          - exact: "authorization"
          - exact: "x-custom-header"
      authorization_response:
        allowed_upstream_headers:
          patterns:
          - exact: "x-user-id"
          - exact: "x-role"

限流过滤器

本地限流

http_filters:
- name: envoy.filters.http.local_ratelimit
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
    stat_prefix: http_local_rate_limiter
    token_bucket:
      max_tokens: 10000
      tokens_per_fill: 1000
      fill_interval: 1s
    filter_enabled:
      default_value:
        numerator: 100
        denominator: HUNDRED
    filter_enforced:
      default_value:
        numerator: 100
        denominator: HUNDRED

全局限流

http_filters:
- name: envoy.filters.http.ratelimit
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit
    domain: some_domain
    enable_x_ratelimit_headers: DRAFT_VERSION_03
    rate_limit_service:
      transport_api_version: V3
      grpc_service:
          envoy_grpc:
            cluster_name: rate-limit-cluster

缓存过滤器

基本缓存配置

http_filters:
- name: envoy.filters.http.cache
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.cache.v3.CacheConfig
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.cache.simple_http_cache.v3.SimpleHttpCacheConfig
    allowed_vary_headers:
    - exact: "accept"
    - exact: "accept-encoding"
    - prefix: "x-"

压缩过滤器

Gzip 压缩

http_filters:
- name: envoy.filters.http.compressor
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.compressor.v3.Compressor
    content_length: 100
    content_type:
    - "text/html"
    - "text/css"
    - "application/javascript"
    - "application/json"
    disable_on_etag_header: true
    remove_accept_encoding_header: false
    window_bits: 15
    memory_level: 9
    compression_level: 6
    compression_strategy: DEFAULT_STRATEGY

过滤器链配置

多过滤器组合

http_filters:
- name: envoy.filters.http.cors
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
    allow_origin_string_match:
    - prefix: "*"
- name: envoy.filters.http.jwt_authn
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
    providers:
      example_provider:
        issuer: "https://example.com"
        remote_jwks:
          http_uri:
            uri: "https://example.com/.well-known/jwks.json"
            cluster: "jwks_cluster"
- name: envoy.filters.http.local_ratelimit
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit
    stat_prefix: http_local_rate_limiter
    token_bucket:
      max_tokens: 1000
      tokens_per_fill: 100
      fill_interval: 1s
- name: envoy.filters.http.router
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

最佳实践

1. 过滤器顺序

CORS 过滤器应在最前面
认证过滤器应在限流之前
压缩过滤器应在最后
路由器过滤器应在最后

2. 性能优化

合理使用缓存
启用压缩
监控过滤器性能
避免不必要的过滤器

3. 安全考虑

启用 CORS 和 CSRF 保护
实施适当的认证
配置限流保护
监控安全事件

注意事项

HTTP 过滤器会影响请求处理性能
复杂的过滤器链可能难以调试
需要确保过滤器兼容性
配置变更需要谨慎测试

HTTP 过滤器为 Envoy 提供了丰富的功能扩展，合理使用可以实现复杂的业务需求。

发布于: 2024/06/10 • 最后更新: 2025/07/12 • 编辑页面