Summary
Add a new transparent-proxy mode to the authbridge binary that handles iptables-redirected traffic directly in Go, without requiring Envoy. This eliminates the ~87 MB Envoy binary for deployments that only need HTTP auth injection/validation.
Motivation
The envoy-sidecar mode bundles Envoy (~87 MB) inside the authbridge container image. For basic auth use cases (inbound JWT validation, outbound token passthrough/exchange), Envoy is only used as a transparent proxy with ext_proc — its advanced features (custom filters, rate limiting, circuit breaking) are unused.
A Go-native transparent proxy would reduce the authbridge image from ~140 MB to ~25 MB while covering the common case.
What the new mode would do
- Listen on ports 15123 (outbound) and 15124 (inbound), same as Envoy today
- Read the original destination from iptables-redirected sockets via
SO_ORIGINAL_DST getsockopt
- Proxy HTTP traffic with inline auth injection/validation (no ext_proc gRPC indirection)
- TLS passthrough: detect TLS ClientHello, forward via TCP proxy without termination
- Compatible with the existing proxy-init iptables rules (same ports, same UID exclusion)
What it does NOT replace
envoy-sidecar mode remains for users who need Envoy-specific features (custom filters, observability integrations, rate limiting, circuit breaking, HTTP/2 multiplexing)waypoint and proxy-sidecar modes are unchanged
Implementation notes
- The Go forward proxy (
proxy-sidecar mode, originally from klaviger) already handles HTTP proxying with auth. The gap is SO_ORIGINAL_DST socket handling (~50 lines) and TLS passthrough (~50 lines).
- The operator would select between
envoy-sidecar and transparent-proxy via a config option or feature gate.
- Separate from but complementary to the Envoy decoupling work (running Envoy as a separate container instead of bundled).
Related
Summary
Add a new
transparent-proxymode to the authbridge binary that handles iptables-redirected traffic directly in Go, without requiring Envoy. This eliminates the ~87 MB Envoy binary for deployments that only need HTTP auth injection/validation.Motivation
The
envoy-sidecarmode bundles Envoy (~87 MB) inside the authbridge container image. For basic auth use cases (inbound JWT validation, outbound token passthrough/exchange), Envoy is only used as a transparent proxy with ext_proc — its advanced features (custom filters, rate limiting, circuit breaking) are unused.A Go-native transparent proxy would reduce the authbridge image from ~140 MB to ~25 MB while covering the common case.
What the new mode would do
SO_ORIGINAL_DSTgetsockoptWhat it does NOT replace
envoy-sidecarmode remains for users who need Envoy-specific features (custom filters, observability integrations, rate limiting, circuit breaking, HTTP/2 multiplexing)waypointandproxy-sidecarmodes are unchangedImplementation notes
proxy-sidecarmode, originally from klaviger) already handles HTTP proxying with auth. The gap isSO_ORIGINAL_DSTsocket handling (~50 lines) and TLS passthrough (~50 lines).envoy-sidecarandtransparent-proxyvia a config option or feature gate.Related