bypass http basic auth for some ip addresses

[vixns]

Hi,

on a HTTPRoute, I would like to allow some ip addresses to bypass basic authentication. Is it possible to combine basicAuth and Authorization on a single SecurityPolicy ?

[arkodg]

I dont think authorization will help here, because basicAuth would fail

you could do some IP based routing based on some prefix/regex match on X-Envoy-External-Address which should contain the remote addr https://gateway.envoyproxy.io/docs/tasks/traffic/client-traffic-policy/#configure-client-ip-detection
and you can split this up into 2 HTTPRoutes, and apply the SecurityPolicy with basic auth on 1 of them (which doesnt match the CIDR)

[vixns]

Thanks @arkodg !

For the reference, this works for one IP

rules:
    - backendRefs:
        - name: app
          port: 8080
      matches:
        - headers:
          - name: "X-Envoy-External-Address"
            value: "xxx.xxx.xxx.xxx"

For several IP addresses using a regex

rules:
    - backendRefs:
        - name: app
          port: 8080
      matches:
        - headers:
          - name: "X-Envoy-External-Address"
            type: RegularExpression
            value: "^(xxx\\.xxx\\.xxx\\.xxx|yyy\\.yyy\\.yyy\\.yyy)$"