Skip to content

Commit 6aa6278

Browse files
hfhf
committed
feat: add origin protection header
1 parent ea1ebd1 commit 6aa6278

File tree

3 files changed

+38
-0
lines changed

3 files changed

+38
-0
lines changed

ansible/files/envoy_config/lds.yaml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,28 @@ resources:
3737
rules:
3838
action: DENY
3939
policies:
40+
origin_protection_key_missing:
41+
permissions:
42+
- any: true
43+
principals:
44+
- not_id:
45+
or_ids:
46+
ids:
47+
- header:
48+
name: x-sb-origin-protection-key
49+
present_match: true
50+
origin_protection_key_not_valid:
51+
permissions:
52+
- any: true
53+
principals:
54+
- not_id:
55+
or_ids:
56+
ids:
57+
# when rolling over the key add a new entry here, deploy, then remove the old key and deploy again
58+
- header:
59+
name: x-sb-origin-protection-key
60+
string_match:
61+
exact: origin_protection_key
4062
api_key_missing:
4163
permissions:
4264
- any: true
@@ -194,6 +216,7 @@ resources:
194216
present_match: true
195217
request_headers_to_remove:
196218
- apikey
219+
- x-sb-origin-protection-key
197220
route:
198221
cluster: postgrest
199222
prefix_rewrite: /
@@ -207,6 +230,7 @@ resources:
207230
prefix: /rest/v1/
208231
request_headers_to_remove:
209232
- apikey
233+
- x-sb-origin-protection-key
210234
route:
211235
cluster: postgrest
212236
prefix_rewrite: /
@@ -218,6 +242,7 @@ resources:
218242
present_match: true
219243
request_headers_to_remove:
220244
- apikey
245+
- x-sb-origin-protection-key
221246
route:
222247
cluster: postgrest_admin
223248
prefix_rewrite: /
@@ -230,11 +255,14 @@ resources:
230255
prefix: /rest-admin/v1/
231256
request_headers_to_remove:
232257
- apikey
258+
- x-sb-origin-protection-key
233259
route:
234260
cluster: postgrest_admin
235261
prefix_rewrite: /
236262
- match:
237263
path: /graphql/v1
264+
request_headers_to_remove:
265+
- x-sb-origin-protection-key
238266
request_headers_to_add:
239267
header:
240268
key: Content-Profile
@@ -254,6 +282,8 @@ resources:
254282
route:
255283
cluster: admin_api
256284
prefix_rewrite: /privileged/
285+
request_headers_to_remove:
286+
- x-sb-origin-protection-key
257287
typed_per_filter_config:
258288
envoy.filters.http.rbac:
259289
'@type': >-
@@ -277,6 +307,8 @@ resources:
277307
route:
278308
cluster: admin_api
279309
prefix_rewrite: /supabase-internal/metrics
310+
request_headers_to_remove:
311+
- x-sb-origin-protection-key
280312
typed_per_filter_config:
281313
envoy.filters.http.rbac:
282314
'@type': >-

ansible/files/envoy_config/remove_apikey_query_parameter.lua

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,9 @@ function envoy_on_request(request_handle)
55
request_handle
66
:headers()
77
:replace(":path", path:gsub("([&?])apikey=[^&]+&?", "%1"):gsub("&$", ""))
8+
9+
-- Removes the x-sb-origin-protection-key as it can be inspected via PostgREST pre-request hook, etc.
10+
request_handle
11+
:headers()
12+
:replace("x-sb-origin-protection-key", "")
813
end

docker/all-in-one/init/configure-envoy.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ sed -i -e "s|anon_key|${ANON_KEY}|g" \
4242
-e "s|service_key|${SERVICE_ROLE_KEY}|g" \
4343
-e "s|supabase_admin_key|${ADMIN_API_KEY}|g" \
4444
-e "s|c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5|$(echo -n "service_role:${SERVICE_ROLE_KEY}" | base64 --wrap 0)|g" \
45+
-e "s|origin_protection_key|${ORIGIN_PROTECTION_KEY}|g" \
4546
"${ENVOY_LDS_CONF}"
4647

4748
# Update Envoy ports

0 commit comments

Comments
 (0)