devbennett7/goma-gateway
1
0
Fork 0
Code Pull Requests Activity

fix: fix host forwrading

Browse Source
This commit is contained in:
Jonas Kaninda
2024-11-12 17:38:55 +01:00
parent 6b062be06a
commit 2fdc3c7baa
6 changed files with 34 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
docs/install/kubernetes.md
View File

@@ -35,196 +35,7 @@ data:
# Goma Gateway configurations
version: 1.0
gateway:
# Proxy write timeout
writeTimeout: 15
# Proxy read timeout
readTimeout: 15
# Proxy idle timeout
idleTimeout: 30
## SSL Certificate file
sslCertFile: '' #cert.pem
## SSL Private Key file
sslKeyFile: ''#key.pem
# Proxy rate limit, it's In-Memory IP based
rateLimit: 0
logLevel: info # debug, trace, off
accessLog: "/dev/Stdout"
errorLog: "/dev/stderr"
## Enable, disable routes health check
disableHealthCheckStatus: false
## Returns backend route healthcheck errors
disableRouteHealthCheckError: false
# Disable display routes on start
disableDisplayRouteOnStart: false
# disableKeepAlive allows enabling and disabling KeepALive server
disableKeepAlive: false
# Block common exploits | detect SQL injection, and simple XSS attempts
blockCommonExploits: false
# interceptErrors intercepts backend errors based on defined the status codes
interceptErrors:
- 405
- 500
# - 400
# Proxy Global HTTP Cors
cors:
# Global routes cors for all routes
origins:
- http://localhost:8080
- https://example.com
# Global routes cors headers for all routes
headers:
Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id'
Access-Control-Allow-Credentials: 'true'
Access-Control-Max-Age: 1728000
##### Define routes
routes:
# Example of a route | 1
- path: /
name: Public # Name is optional
# host Domain/host based request routing
hosts: [] # Hosts are optional
## Rewrite a request path
# e.g rewrite: /store to /
rewrite: /
destination: https://example.com
# Limit HTTP methods allowed for this route
methods: [POST, PUT, GET]
#DisableHeaderXForward Disable X-forwarded header.
# [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ]
# It will not match the backend route, by default, it's disabled
disableHeaderXForward: false
# Route Cors, global cors will be overridden by route
cors:
# Route Origins Cors, route will override global cors origins
origins:
- https://dev.example.com
- http://localhost:3000
- https://example.com
# Route Cors headers, route will override global cors headers
headers:
Access-Control-Allow-Methods: 'GET'
Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id'
Access-Control-Allow-Credentials: 'true'
Access-Control-Max-Age: 1728000
##### Apply middlewares to the route
## The name must be unique
## List of middleware name
middlewares:
- api-forbidden-paths
# Example of a route | 2
- path: /protected
name: Basic auth
rewrite: /
destination: ''
backends:
- https://example.com
- https://example2.com
methods:
- GET
# Route healthcheck
healthCheck:
path: /health/live
interval: 30s
timeout: 10s
healthyStatuses:
- 200
- 404
cors: {}
middlewares:
- api-forbidden-paths
- basic-auth
#Defines proxy middlewares
# middleware name must be unique
middlewares:
# Enable Basic auth authorization based
- name: basic-auth
# Authentication types | jwt, basic, OAuth
type: basic
paths:
- /user
- /admin
- /account
rule:
username: admin
password: admin
#Enables JWT authorization based on the result of a request and continues the request.
- name: google-auth
# Authentication types | jwt, basic, OAuth
# jwt authorization based on the result of backend's response and continue the request when the client is authorized
type: jwt
# Paths to protect
paths:
- /protected-access
- /example-of-jwt
#- /* or wildcard path
rule:
# This is an example URL
url: https://www.googleapis.com/auth/userinfo.email
# Required headers, if not present in the request, the proxy will return 403
requiredHeaders:
- Authorization
# You can also get headers from the authentication request result and inject them into the next request header or params.
# In case you want to get headers from the authentication service and inject them into the next request headers.
# Set the request variable to the given value after the authorization request completes.
# In case you want to get headers from the authentication service and inject them into the next request headers.
# Key is authentication request response header Key. Value is the next Request header Key.
headers:
userId: Auth-UserId
userCountryId: Auth-UserCountryId
# In case you want to get headers from the Authentication service and inject them to the next request params.
#Key is authentication request response header Key. Value is the next Request parameter Key.
params:
userCountryId: countryId
# The server will return 403
- name: api-forbidden-paths
type: access
## prevents access paths
paths:
- /swagger-ui/*
- /v2/swagger-ui/*
- /api-docs/*
- /internal/*
- /actuator/*
- name: oauth-google
type: oauth
paths:
- /protected
- /example-of-oauth
rule:
clientId: xxx
clientSecret: xxx
provider: google
endpoint:
userInfoUrl: ""
redirectUrl: http://localhost:8080/callback
redirectPath: ""
cookiePath: ""
scopes:
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
state: randomStateString
jwtSecret: your-strong-jwt-secret | It's optional
- name: oauth-authentik
type: oauth
paths:
- /protected
- /example-of-oauth
rule:
clientId: xxx
clientSecret: xxx
provider: custom
endpoint:
authUrl: https://authentik.example.com/application/o/authorize/
tokenUrl: https://authentik.example.com/application/o/token/
userInfoUrl: https://authentik.example.com/application/o/userinfo/
redirectUrl: http://localhost:8080/callback
redirectPath: ""
cookiePath: ""
scopes:
- email
- openid
state: randomStateString
jwtSecret: your-strong-jwt-secret | It's optional
...
```
## 3. Create Kubernetes deployment

8
examples/configMap.yaml
View File

@@ -19,7 +19,7 @@ data:
sslKeyFile: ''#key.pem
# Proxy rate limit, it's In-Memory IP based
rateLimit: 0
logLevel: info # debug, trace
logLevel: info # debug, trace, off
accessLog: "/dev/Stdout"
errorLog: "/dev/stderr"
## Enable, disable routes health check
@@ -61,10 +61,8 @@ data:
destination: https://example.com
# Limit HTTP methods allowed for this route
methods: [POST, PUT, GET]
#DisableHeaderXForward Disable X-forwarded header.
# [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ]
# It will not match the backend route, by default, it's disabled
disableHeaderXForward: false
#disableHostFording proxy host forwarding
disableHostFording: false
# Route Cors, global cors will be overridden by route
cors:
# Route Origins Cors, route will override global cors origins

6
examples/goma.yml
View File

@@ -55,10 +55,8 @@ gateway:
destination: https://example.com
# Limit HTTP methods allowed for this route
methods: [POST, PUT, GET]
#DisableHeaderXForward Disable X-forwarded header.
# [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ]
# It will not match the backend route, by default, it's disabled
disableHeaderXForward: false
#disableHostFording proxy host forwarding
disableHostFording: false
# Route Cors, global cors will be overridden by route
cors:
# Route Origins Cors, route will override global cors origins

6
internal/proxy.go
View File

@@ -70,12 +70,12 @@ func (proxyRoute ProxyRoute) ProxyHandler() http.HandlerFunc {
}
return
}
// Update the headers to allow for SSL redirection
if !proxyRoute.disableXForward {
r.URL.Scheme = targetURL.Scheme
r.Header.Set("X-Forwarded-Host", r.Header.Get("Host"))
r.Header.Set("X-Forwarded-For", getRealIP(r))
r.Header.Set("X-Real-IP", getRealIP(r))
// Update the headers to allow for SSL redirection
if !proxyRoute.disableHostFording {
r.URL.Scheme = targetURL.Scheme
r.Host = targetURL.Host
}
backendURL, _ := url.Parse(proxyRoute.destination)

4
internal/route.go
View File

@@ -103,7 +103,7 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
rewrite: route.Rewrite,
destination: route.Destination,
backends: route.Backends,
disableXForward: route.DisableHeaderXForward,
disableHostFording: route.DisableHostFording,
methods: route.Methods,
cors: route.Cors,
}
@@ -211,7 +211,7 @@ func (gatewayServer GatewayServer) Initialize() *mux.Router {
destination: route.Destination,
backends: route.Backends,
methods: route.Methods,
disableXForward: route.DisableHeaderXForward,
disableHostFording: route.DisableHostFording,
cors: route.Cors,
}
// create route

6
internal/types.go
View File

@@ -155,12 +155,12 @@ type Route struct {
// Cors contains the route cors headers
Cors Cors `yaml:"cors"`
RateLimit int `yaml:"rateLimit"`
// DisableHeaderXForward Disable X-forwarded header.
// DisableHostFording Disable X-forwarded header.
//
// [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ]
//
// It will not match the backend route
DisableHeaderXForward bool `yaml:"disableHeaderXForward"`
DisableHostFording bool `yaml:"disableHostFording"`
// InterceptErrors intercepts backend errors based on the status codes
//
// Eg: [ 403, 405, 500 ]
@@ -241,7 +241,7 @@ type ProxyRoute struct {
healthCheck RouteHealthCheck
methods []string
cors Cors
disableXForward bool
disableHostFording bool
}
type RoutePath struct {
route Route