Fiber as an Envoy External Authorization HTTP Service
One way of extending the popular Envoy proxy is by developing an external authorization service.
This example illustrates using fiber and the keyauth middleware as an authorization service for a front
proxy (the configuration could also be used for an L2 / Sidecar proxy). See authz.
It also uses fiber as a sample upstream service, with the following endpoints. See app.
Architecture
Client
│
│ HTTP request (port 8000)
▼
Envoy (front-envoy)
│
├──► AuthZ service (fiber_authz :1337)
│ Checks x-api-key header via keyauth middleware.
│ Returns 200 OK → Envoy forwards request upstream.
│ Returns 403 Forbidden → Envoy rejects request immediately.
│
└──► App service (fiber_app) — only reached when AuthZ approves
Serves /health (unprotected) and /api/resource (protected).
All three services run in the same Docker network (envoymesh). Envoy is the sole ingress point; the app service is never exposed directly.
Prerequisites
- Docker with Compose plugin (or
docker-composev1)
Endpoints
| Name | Rute | Protected | Method |
|---|---|---|---|
| Health | /health | No | GET |
| Resource | /api/resource | Yes | GET |
Run
docker-compose up --build -d
Test
| Name | Command | Status |
|---|---|---|
| Not protected | curl localhost:8000/health -i | 200 |
| Missing API key | curl localhost:8000/api/resource -i | 403 |
| Invalid API key | curl localhost:8000/api/resource -i -H "x-api-key: invalid-key" | 403 |
| Valid API key | curl localhost:8000/api/resource -i -H "x-api-key: valid-key" | 200 |
Stop
docker-compose down