diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md index 80865cb..2fdf3ba 100644 --- a/docs/install/kubernetes.md +++ b/docs/install/kubernetes.md @@ -35,196 +35,7 @@ data: # Goma Gateway configurations version: 1.0 gateway: - # Proxy write timeout - writeTimeout: 15 - # Proxy read timeout - readTimeout: 15 - # Proxy idle timeout - idleTimeout: 30 - ## SSL Certificate file - sslCertFile: '' #cert.pem - ## SSL Private Key file - sslKeyFile: ''#key.pem - # Proxy rate limit, it's In-Memory IP based - rateLimit: 0 - logLevel: info # debug, trace, off - accessLog: "/dev/Stdout" - errorLog: "/dev/stderr" - ## Enable, disable routes health check - disableHealthCheckStatus: false - ## Returns backend route healthcheck errors - disableRouteHealthCheckError: false - # Disable display routes on start - disableDisplayRouteOnStart: false - # disableKeepAlive allows enabling and disabling KeepALive server - disableKeepAlive: false - # Block common exploits | detect SQL injection, and simple XSS attempts - blockCommonExploits: false - # interceptErrors intercepts backend errors based on defined the status codes - interceptErrors: - - 405 - - 500 - # - 400 - # Proxy Global HTTP Cors - cors: - # Global routes cors for all routes - origins: - - http://localhost:8080 - - https://example.com - # Global routes cors headers for all routes - headers: - Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id' - Access-Control-Allow-Credentials: 'true' - Access-Control-Max-Age: 1728000 - ##### Define routes - routes: - # Example of a route | 1 - - path: / - name: Public # Name is optional - # host Domain/host based request routing - hosts: [] # Hosts are optional - ## Rewrite a request path - # e.g rewrite: /store to / - rewrite: / - destination: https://example.com - # Limit HTTP methods allowed for this route - methods: [POST, PUT, GET] - #DisableHeaderXForward Disable X-forwarded header. - # [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ] - # It will not match the backend route, by default, it's disabled - disableHeaderXForward: false - # Route Cors, global cors will be overridden by route - cors: - # Route Origins Cors, route will override global cors origins - origins: - - https://dev.example.com - - http://localhost:3000 - - https://example.com - # Route Cors headers, route will override global cors headers - headers: - Access-Control-Allow-Methods: 'GET' - Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id' - Access-Control-Allow-Credentials: 'true' - Access-Control-Max-Age: 1728000 - ##### Apply middlewares to the route - ## The name must be unique - ## List of middleware name - middlewares: - - api-forbidden-paths - # Example of a route | 2 - - path: /protected - name: Basic auth - rewrite: / - destination: '' - backends: - - https://example.com - - https://example2.com - methods: - - GET - # Route healthcheck - healthCheck: - path: /health/live - interval: 30s - timeout: 10s - healthyStatuses: - - 200 - - 404 - cors: {} - middlewares: - - api-forbidden-paths - - basic-auth - #Defines proxy middlewares - # middleware name must be unique - middlewares: - # Enable Basic auth authorization based - - name: basic-auth - # Authentication types | jwt, basic, OAuth - type: basic - paths: - - /user - - /admin - - /account - rule: - username: admin - password: admin - #Enables JWT authorization based on the result of a request and continues the request. - - name: google-auth - # Authentication types | jwt, basic, OAuth - # jwt authorization based on the result of backend's response and continue the request when the client is authorized - type: jwt - # Paths to protect - paths: - - /protected-access - - /example-of-jwt - #- /* or wildcard path - rule: - # This is an example URL - url: https://www.googleapis.com/auth/userinfo.email - # Required headers, if not present in the request, the proxy will return 403 - requiredHeaders: - - Authorization - # You can also get headers from the authentication request result and inject them into the next request header or params. - # In case you want to get headers from the authentication service and inject them into the next request headers. - # Set the request variable to the given value after the authorization request completes. - # In case you want to get headers from the authentication service and inject them into the next request headers. - # Key is authentication request response header Key. Value is the next Request header Key. - headers: - userId: Auth-UserId - userCountryId: Auth-UserCountryId - # In case you want to get headers from the Authentication service and inject them to the next request params. - #Key is authentication request response header Key. Value is the next Request parameter Key. - params: - userCountryId: countryId - # The server will return 403 - - name: api-forbidden-paths - type: access - ## prevents access paths - paths: - - /swagger-ui/* - - /v2/swagger-ui/* - - /api-docs/* - - /internal/* - - /actuator/* - - name: oauth-google - type: oauth - paths: - - /protected - - /example-of-oauth - rule: - clientId: xxx - clientSecret: xxx - provider: google - endpoint: - userInfoUrl: "" - redirectUrl: http://localhost:8080/callback - redirectPath: "" - cookiePath: "" - scopes: - - https://www.googleapis.com/auth/userinfo.email - - https://www.googleapis.com/auth/userinfo.profile - state: randomStateString - jwtSecret: your-strong-jwt-secret | It's optional - - name: oauth-authentik - type: oauth - paths: - - /protected - - /example-of-oauth - rule: - clientId: xxx - clientSecret: xxx - provider: custom - endpoint: - authUrl: https://authentik.example.com/application/o/authorize/ - tokenUrl: https://authentik.example.com/application/o/token/ - userInfoUrl: https://authentik.example.com/application/o/userinfo/ - redirectUrl: http://localhost:8080/callback - redirectPath: "" - cookiePath: "" - scopes: - - email - - openid - state: randomStateString - jwtSecret: your-strong-jwt-secret | It's optional + ... ``` ## 3. Create Kubernetes deployment diff --git a/examples/configMap.yaml b/examples/configMap.yaml index c612761..70e1b40 100644 --- a/examples/configMap.yaml +++ b/examples/configMap.yaml @@ -19,7 +19,7 @@ data: sslKeyFile: ''#key.pem # Proxy rate limit, it's In-Memory IP based rateLimit: 0 - logLevel: info # debug, trace + logLevel: info # debug, trace, off accessLog: "/dev/Stdout" errorLog: "/dev/stderr" ## Enable, disable routes health check @@ -61,10 +61,8 @@ data: destination: https://example.com # Limit HTTP methods allowed for this route methods: [POST, PUT, GET] - #DisableHeaderXForward Disable X-forwarded header. - # [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ] - # It will not match the backend route, by default, it's disabled - disableHeaderXForward: false + #disableHostFording proxy host forwarding + disableHostFording: false # Route Cors, global cors will be overridden by route cors: # Route Origins Cors, route will override global cors origins diff --git a/examples/goma.yml b/examples/goma.yml index 04069a2..b41ef31 100644 --- a/examples/goma.yml +++ b/examples/goma.yml @@ -55,10 +55,8 @@ gateway: destination: https://example.com # Limit HTTP methods allowed for this route methods: [POST, PUT, GET] - #DisableHeaderXForward Disable X-forwarded header. - # [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ] - # It will not match the backend route, by default, it's disabled - disableHeaderXForward: false + #disableHostFording proxy host forwarding + disableHostFording: false # Route Cors, global cors will be overridden by route cors: # Route Origins Cors, route will override global cors origins diff --git a/internal/proxy.go b/internal/proxy.go index d8ddd2f..d4bea59 100644 --- a/internal/proxy.go +++ b/internal/proxy.go @@ -70,12 +70,12 @@ func (proxyRoute ProxyRoute) ProxyHandler() http.HandlerFunc { } return } + r.Header.Set("X-Forwarded-Host", r.Header.Get("Host")) + r.Header.Set("X-Forwarded-For", getRealIP(r)) + r.Header.Set("X-Real-IP", getRealIP(r)) // Update the headers to allow for SSL redirection - if !proxyRoute.disableXForward { + if !proxyRoute.disableHostFording { r.URL.Scheme = targetURL.Scheme - r.Header.Set("X-Forwarded-Host", r.Header.Get("Host")) - r.Header.Set("X-Forwarded-For", getRealIP(r)) - r.Header.Set("X-Real-IP", getRealIP(r)) r.Host = targetURL.Host } backendURL, _ := url.Parse(proxyRoute.destination) diff --git a/internal/route.go b/internal/route.go index 5d9f7e9..c735aca 100644 --- a/internal/route.go +++ b/internal/route.go @@ -99,13 +99,13 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router { } else { for _, midPath := range rMiddleware.Paths { proxyRoute := ProxyRoute{ - path: route.Path, - rewrite: route.Rewrite, - destination: route.Destination, - backends: route.Backends, - disableXForward: route.DisableHeaderXForward, - methods: route.Methods, - cors: route.Cors, + path: route.Path, + rewrite: route.Rewrite, + destination: route.Destination, + backends: route.Backends, + disableHostFording: route.DisableHostFording, + methods: route.Methods, + cors: route.Cors, } secureRouter := r.PathPrefix(util.ParseRoutePath(route.Path, midPath)).Subrouter() //callBackRouter := r.PathPrefix(util.ParseRoutePath(route.Path, "/callback")).Subrouter() @@ -206,13 +206,13 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router { } } proxyRoute := ProxyRoute{ - path: route.Path, - rewrite: route.Rewrite, - destination: route.Destination, - backends: route.Backends, - methods: route.Methods, - disableXForward: route.DisableHeaderXForward, - cors: route.Cors, + path: route.Path, + rewrite: route.Rewrite, + destination: route.Destination, + backends: route.Backends, + methods: route.Methods, + disableHostFording: route.DisableHostFording, + cors: route.Cors, } // create route router := r.PathPrefix(route.Path).Subrouter() diff --git a/internal/types.go b/internal/types.go index 34f53a4..143b1ad 100644 --- a/internal/types.go +++ b/internal/types.go @@ -155,12 +155,12 @@ type Route struct { // Cors contains the route cors headers Cors Cors `yaml:"cors"` RateLimit int `yaml:"rateLimit"` - // DisableHeaderXForward Disable X-forwarded header. + // DisableHostFording Disable X-forwarded header. // // [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ] // // It will not match the backend route - DisableHeaderXForward bool `yaml:"disableHeaderXForward"` + DisableHostFording bool `yaml:"disableHostFording"` // InterceptErrors intercepts backend errors based on the status codes // // Eg: [ 403, 405, 500 ] @@ -234,14 +234,14 @@ type GatewayServer struct { middlewares []Middleware } type ProxyRoute struct { - path string - rewrite string - destination string - backends []string - healthCheck RouteHealthCheck - methods []string - cors Cors - disableXForward bool + path string + rewrite string + destination string + backends []string + healthCheck RouteHealthCheck + methods []string + cors Cors + disableHostFording bool } type RoutePath struct { route Route