Sec-websocket-protocol header not passing to ext auth sever

Security
1

Hi team,

Thank you in advance for your support.

Sec-websocket-protocol header not passing to ext auth sever and we are getting 403 issues.

Istio version - 1.10.6
AKS - 1.21

Kindly guide me to resolve the issue.

Header value is being shown as null at ext-auth-server pod logs, please help.

Regards,
Kalyan

2

@YangminZhu, Kindly suggest on this request.

3

have you defined extension provider in your mesh config ? ref : Istio / External Authorization

4

Yeah, this has been deployed. Kindly suggest Sec-Websocket-Protocol should be in lower case. Below has been defined.

extensionProviders:
- envoyExtAuthzHttp:
    headersToUpstreamOnAllow:
    - authorization
    - x-auth-role
    - x-projectid
    includeHeadersInCheck:
    - authorization
    - Sec-WebSocket-Protocol
    - x-projectid
    port: "8000"
    service: ext-authz-server-service.default.svc.cluster.local
  name: ext-authz-http
5

You can try that, your config looks correct though.

6

We have tried that option, but It didn’t work and not sure why we socket protocol header only not passing to backend.

7

issue is with case, it got resolved, thank you