How to block URLs with specific resource on istio?

1

I am trying to block certain resources like xyz.com/app/health or xyz.com/app/metrices from outside access.
I could find faultInjection in virtual service but that results in a message(fault filter abort) which doesn’t seem good.
Is there a way page not found(404) can be implemented as istio response if prefix includes app/health or app/metrices?

2

Hi, I think rate limit can meet your requirements. Envoy can return 404 instead of 429 based on prefix.

3

Hi @triThirty ,
Thanks for your response.
RateLimit seems to be restricting number of requests / minute.
I am looking more towards these ways:

  1. If there could be a NULL value as destination upon receipt of such requests in virtual service
  2. Any “Direct Response” method in istio which is there in envoy (Direct response — envoy 1.21.0-dev-6acc5d documentation) for custom response code/message
4

How about rewrite the path? HTTP route components — envoy 1.21.0-dev-6acc5d documentation
So you can rewrite the app/health or app/metrices prefix paths to a 404 route.

5

It seems better for using authorization policy for access control.

By default the authorization policy returns 403 RBAC access denied message, you can customize it with the following EnvoyFilter:

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: customize-authz-response
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
          local_reply_config:
            mappers:
            - filter:
                status_code_filter:
                  comparison:
                    op: EQ
                    value:
                      default_value: 403
                      runtime_key: placeholder
              status_code: 403
              body:
                inline_string: customized_authz_deny_response
              body_format_override:
                text_format: "<h1>%LOCAL_REPLY_BODY% %RESPONSE_CODE% %REQ(:path)%</h1>"
                content_type: "text/html; charset=UTF-8"
EOF