How to combine IP Allowlist and Basic Authentication?

[muffl0n]

I see that I can use https://gateway.envoyproxy.io/docs/tasks/security/basic-auth/ and https://gateway.envoyproxy.io/docs/tasks/security/restrict-ip-access/ to restrict the access to services.

But how can i achieve a combination of those two? I have these two scenarios: Allow users to access a service either by...

1. ...request coming from a subnet contained in a allowlist OR knowing credentials for basic auth
2. ...request coming from a subnet contained in a allowlist AND knowing credentials for basic auth

In ingress-nginx I built them like this:
1.

nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/satisfy: any
nginx.ingress.kubernetes.io/whitelist-source-range: 1.2.3.4/24

nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/whitelist-source-range: 1.2.3.4/24

[arkodg]

cc @zhaohuabing

[zhaohuabing]

Envoy Gateway delegates auth to Envoy filters: Basic Auth and IP allowlisting (via RBAC) are separate. You can get an AND by applying both (e.g., a SecurityPolicy that includes Basic Auth plus IP-based authorization). A true OR (“allow if IP is allowed OR creds are valid”) isn’t supported today without custom ext_authz logic.