Extending Envoy Proxy with Golang WebAssembly

By Effi Bar-She’an

Envoy is a L7 proxy and communication bus designed for large modern service-oriented architectures.

Envoy can be used to monitor and control HTTP connections. One way to do this is using the Lua scripting language, for example to intercept requests and responses. Another option, is using a Web Assembly (WASM) plugin.

As Golang developers, we can develop our WASM plugin using Go SDK.

Let’s write and run an Envoy proxy with a WASM extension written in Go :-)

First, you need to install Envoy:

Note, that alternatively you can work with Docker, but currently on MacOS there is an issue that makes it harder.

WASM extensions can’t be developed with regular Go, instead you use TinyGo:

Now, let’s write our main.go to log request headers:

helloHttpContext embeds proxywasm.DefaultHttpContext so that we do not need to implement all the methods of HttpContext.

The only method that we override is OnHttpRequestHeaders which will log the request headers on all requests that contain headers.

In order to get the request headers we use proxywasm.GetHttpRequestHeaders. Note, that we can’t retrieve the request body as part of OnHttpRequestHeaders method. To do that we need to override OnHttpRequestBody.

Let’s build our WASM with TinyGo:

This should create the hello.wasm file in the current directory.

Before running envoy we need to to create a config file envoy.yaml. This configuration loads envoy with a WASM filter and then listens to port 8085 as a reverse-proxy to backend service — hello that listens on localhost:8080:

Next, here’s our backend hello service which listens on port 8080 and responds to /hello which our Envoy proxy will redirect all the traffic to:

After running the hello service, let’s run the Envoy proxy with our config file:

Note, we’re running it with debug level debug, the default is info.

Calling our service:

should result with the follow Envoy’s logs:

See full code in here.

References:

--

--

From the Security Policy Company. This blog is dedicated to cloud-native topics such as Kubernetes, cloud security and micro-services.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tufin

From the Security Policy Company. This blog is dedicated to cloud-native topics such as Kubernetes, cloud security and micro-services.