supabase
diff --git a/‎ansible/files/adminapi.sudoers.conf
Lines changed: 1 addition & 0 deletions b/‎ansible/files/adminapi.sudoers.conf
Lines changed: 1 addition & 0 deletions
diff --git a/‎ansible/files/envoy.service
Lines changed: 24 additions & 0 deletions b/‎ansible/files/envoy.service
Lines changed: 24 additions & 0 deletions
diff --git a/‎ansible/files/envoy_config/basic_auth.lua
Lines changed: 12 additions & 0 deletions b/‎ansible/files/envoy_config/basic_auth.lua
Lines changed: 12 additions & 0 deletions
diff --git a/‎ansible/files/envoy_config/cds.yaml
Lines changed: 51 additions & 0 deletions b/‎ansible/files/envoy_config/cds.yaml
Lines changed: 51 additions & 0 deletions
diff --git a/‎ansible/files/envoy_config/envoy.yaml
Lines changed: 23 additions & 0 deletions b/‎ansible/files/envoy_config/envoy.yaml
Lines changed: 23 additions & 0 deletions
diff --git a/‎ansible/files/envoy_config/lds.yaml
Lines changed: 268 additions & 0 deletions b/‎ansible/files/envoy_config/lds.yaml
Lines changed: 268 additions & 0 deletions
diff --git a/‎ansible/files/envoy_config/remove_apikey_query_parameter.lua
Lines changed: 5 additions & 0 deletions b/‎ansible/files/envoy_config/remove_apikey_query_parameter.lua
Lines changed: 5 additions & 0 deletions
@@ -1,3 +1,4 @@
+Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service
 Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.service, /bin/systemctl restart kong.service, /bin/systemctl disable kong.service, /bin/systemctl enable kong.service, /bin/systemctl reload kong.service
 Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service
 Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service
 
@@ -0,0 +1,24 @@
+[Unit]
+Description=Envoy
+After=postgrest.service gotrue.service adminapi.service
+Wants=postgrest.service gotrue.service adminapi.service
+Conflicts=kong.service
+
+[Service]
+Type=simple
+ExecStart=/opt/envoy-hot-restarter.py /opt/start-envoy.sh
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill -TERM $MAINPID
+User=envoy
+Slice=services.slice
+Restart=always
+RestartSec=3
+LimitNOFILE=100000
+
+# The envoy user is unpriviledged and thus not permited to bind on ports < 1024
+# Via systemd we grant the process a set of priviledges to bind to 80/443
+# See http://archive.vn/36zJU
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1,12 @@
+function envoy_on_request(request_handle)
+    local authorization = request_handle:headers():get("authorization")
+
+    if authorization and authorization:find("^[Bb][Aa][Ss][Ii][Cc] " .. request_handle:metadata():get("credentials")) then
+        return
+    end
+
+    request_handle:respond({
+        [":status"] = "401",
+        ["WWW-Authenticate"] = "Basic realm=\"Unknown\""
+    }, "Unauthorized")
+end
@@ -0,0 +1,51 @@
+resources:
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: admin_api
+    load_assignment:
+      cluster_name: admin_api
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 8085
+    transport_socket:
+      name: envoy.transport_sockets.tls
+      typed_config:
+        '@type': >-
+          type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: gotrue
+    load_assignment:
+      cluster_name: gotrue
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 9999
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: postgrest
+    load_assignment:
+      cluster_name: postgrest
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 3000
+  - '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
+    name: postgrest_admin
+    load_assignment:
+      cluster_name: postgrest_admin
+      endpoints:
+        - lb_endpoints:
+            - endpoint:
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 3001
+
@@ -0,0 +1,23 @@
+dynamic_resources:
+  cds_config:
+    path_config_source:
+      path: /etc/envoy/cds.yaml
+    resource_api_version: V3
+  lds_config:
+    path_config_source:
+      path: /etc/envoy/lds.yaml
+    resource_api_version: V3
+node:
+  cluster: cluster_0
+  id: node_0
+overload_manager:
+  resource_monitors:
+    - name: envoy.resource_monitors.global_downstream_max_connections
+      typed_config:
+        '@type': >-
+          type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig
+        max_active_downstream_connections: 500000
+stats_config:
+  stats_matcher:
+    reject_all: true
+
@@ -0,0 +1,268 @@
+resources:
+  - '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    name: http_listener
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 80
+    filter_chains:
+      - filters: &ref_1
+          - name: envoy.filters.network.http_connection_manager
+            typed_config:
+              '@type': >-
+                type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+              generate_request_id: false
+              http_filters:
+                - name: envoy.filters.http.cors
+                  typed_config:
+                    '@type': >-
+                      type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors
+                - name: envoy.filters.http.rbac
+                  typed_config:
+                    '@type': >-
+                      type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
+                    rules:
+                      action: DENY
+                      policies:
+                        api_key_missing:
+                          permissions:
+                            - any: true
+                          principals:
+                            - not_id:
+                                or_ids:
+                                  ids:
+                                    - header:
+                                        name: apikey
+                                        present_match: true
+                                    - header:
+                                        name: ':path'
+                                        string_match:
+                                          contains: apikey=
+                        api_key_not_valid:
+                          permissions:
+                            - any: true
+                          principals:
+                            - not_id:
+                                or_ids:
+                                  ids:
+                                    - header:
+                                        name: apikey
+                                        string_match:
+                                          exact: anon_key
+                                    - header:
+                                        name: apikey
+                                        string_match:
+                                          exact: service_key
+                                    - header:
+                                        name: apikey
+                                        string_match:
+                                          exact: supabase_admin_key
+                                    - header:
+                                        name: ':path'
+                                        string_match:
+                                          contains: apikey=anon_key
+                                    - header:
+                                        name: ':path'
+                                        string_match:
+                                          contains: apikey=service_key
+                                    - header:
+                                        name: ':path'
+                                        string_match:
+                                          contains: apikey=supabase_admin_key
+                - name: envoy.filters.http.lua
+                  typed_config:
+                    '@type': >-
+                      type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
+                    source_codes:
+                      basic_auth:
+                        filename: /etc/envoy/basic_auth.lua
+                      remove_apikey_query_parameter:
+                        filename: /etc/envoy/remove_apikey_query_parameter.lua
+                - name: envoy.filters.http.router
+                  typed_config:
+                    '@type': >-
+                      type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+                    dynamic_stats: false
+              local_reply_config:
+                mappers:
+                  - filter:
+                      and_filter:
+                        filters:
+                          - status_code_filter:
+                              comparison:
+                                value:
+                                  default_value: 403
+                                  runtime_key: unused
+                          - header_filter:
+                              header:
+                                name: ':path'
+                                string_match:
+                                  prefix: /metrics/aggregated
+                                invert_match: true
+                    status_code: 401
+                    body_format_override:
+                      json_format:
+                        message: >-
+                          `apikey` request header or query parameter is either
+                          missing or invalid. Double check your Supabase `anon`
+                          or `service_role` API key.
+                        hint: '%RESPONSE_CODE_DETAILS%'
+                      json_format_options:
+                        sort_properties: false
+              route_config:
+                name: route_config_0
+                virtual_hosts:
+                  - name: virtual_host_0
+                    domains:
+                      - '*'
+                    typed_per_filter_config:
+                      envoy.filters.http.cors:
+                        '@type': >-
+                          type.googleapis.com/envoy.extensions.filters.http.cors.v3.CorsPolicy
+                        allow_origin_string_match:
+                          - safe_regex:
+                              regex: \*
+                        allow_methods: GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS,TRACE,CONNECT
+                        allow_headers: apikey,authorization,x-client-info
+                        max_age: '3600'
+                    routes:
+                      - match:
+                          safe_regex:
+                            regex: >-
+                              /auth/v1/(verify|callback|authorize|sso/saml/(acs|metadata|slo))
+                        route:
+                          cluster: gotrue
+                          regex_rewrite:
+                            pattern:
+                              regex: ^/auth/v1
+                            substitution: ''
+                          retry_policy:
+                            num_retries: 3
+                            retry_on: 5xx
+                        typed_per_filter_config:
+                          envoy.filters.http.rbac: &ref_0
+                            '@type': >-
+                              type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
+                      - match:
+                          prefix: /auth/v1/
+                        route:
+                          cluster: gotrue
+                          prefix_rewrite: /
+                      - match:
+                          prefix: /rest/v1/
+                          query_parameters:
+                            - name: apikey
+                              present_match: true
+                        request_headers_to_remove:
+                          - apikey
+                        route:
+                          cluster: postgrest
+                          prefix_rewrite: /
+                          timeout: 2m
+                        typed_per_filter_config:
+                          envoy.filters.http.lua:
+                            '@type': >-
+                              type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
+                            name: remove_apikey_query_parameter
+                      - match:
+                          prefix: /rest/v1/
+                        request_headers_to_remove:
+                          - apikey
+                        route:
+                          cluster: postgrest
+                          prefix_rewrite: /
+                          timeout: 2m
+                      - match:
+                          prefix: /rest-admin/v1/
+                          query_parameters:
+                            - name: apikey
+                              present_match: true
+                        request_headers_to_remove:
+                          - apikey
+                        route:
+                          cluster: postgrest_admin
+                          prefix_rewrite: /
+                        typed_per_filter_config:
+                          envoy.filters.http.lua:
+                            '@type': >-
+                              type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
+                            name: remove_apikey_query_parameter
+                      - match:
+                          prefix: /rest-admin/v1/
+                        request_headers_to_remove:
+                          - apikey
+                        route:
+                          cluster: postgrest_admin
+                          prefix_rewrite: /
+                      - match:
+                          path: /graphql/v1
+                        request_headers_to_add:
+                          header:
+                            key: Content-Profile
+                            value: graphql_public
+                            timeout: 2m
+                        route:
+                          cluster: postgrest
+                          prefix_rewrite: /rpc/graphql
+                      - match:
+                          prefix: /admin/v1/
+                        route:
+                          cluster: admin_api
+                          prefix_rewrite: /
+                      - match:
+                          prefix: /customer/v1/privileged/
+                        route:
+                          cluster: admin_api
+                          prefix_rewrite: /privileged/
+                        typed_per_filter_config:
+                          envoy.filters.http.lua:
+                            '@type': >-
+                              type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
+                            name: basic_auth
+                          envoy.filters.http.rbac: *ref_0
+                        metadata:
+                          filter_metadata:
+                            envoy.filters.http.lua:
+                              credentials: c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
+                      - match:
+                          prefix: /metrics/aggregated
+                        route:
+                          cluster: admin_api
+                          prefix_rewrite: /supabase-internal/metrics
+                        typed_per_filter_config:
+                          envoy.filters.http.rbac:
+                            '@type': >-
+                              type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
+                            rbac:
+                              rules:
+                                action: DENY
+                                policies:
+                                  not_private_ip:
+                                    permissions:
+                                      - any: true
+                                    principals:
+                                      - not_id:
+                                          direct_remote_ip:
+                                            address_prefix: 10.0.0.0
+                                            prefix_len: 8
+              stat_prefix: ingress_http
+  - '@type': type.googleapis.com/envoy.config.listener.v3.Listener
+    name: https_listener
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 443
+    filter_chains:
+      - filters: *ref_1
+        transport_socket:
+          name: envoy.transport_sockets.tls
+          typed_config:
+            '@type': >-
+              type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+            common_tls_context:
+              tls_certificates:
+                - certificate_chain:
+                    filename: /etc/envoy/fullChain.pem
+                  private_key:
+                    filename: /etc/envoy/privKey.pem
+
@@ -0,0 +1,5 @@
+function envoy_on_request(request_handle)
+    local path = request_handle:headers():get(":path")
+
+    request_handle:headers():replace(":path", path:gsub("([&?])apikey=[^&]+&?", "%1"):gsub("&$", ""))
+end
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+Cmnd_Alias ENVOY = /bin/systemctl start envoy.service, /bin/systemctl stop envoy.service, /bin/systemctl restart envoy.service, /bin/systemctl disable envoy.service, /bin/systemctl enable envoy.service, /bin/systemctl reload envoy.service`
`1`	`2`	`Cmnd_Alias KONG = /bin/systemctl start kong.service, /bin/systemctl stop kong.service, /bin/systemctl restart kong.service, /bin/systemctl disable kong.service, /bin/systemctl enable kong.service, /bin/systemctl reload kong.service`
`2`	`3`	`Cmnd_Alias POSTGREST = /bin/systemctl start postgrest.service, /bin/systemctl stop postgrest.service, /bin/systemctl restart postgrest.service, /bin/systemctl disable postgrest.service, /bin/systemctl enable postgrest.service`
`3`	`4`	`Cmnd_Alias GOTRUE = /bin/systemctl start gotrue.service, /bin/systemctl stop gotrue.service, /bin/systemctl restart gotrue.service, /bin/systemctl disable gotrue.service, /bin/systemctl enable gotrue.service`