devbennett7/goma-gateway
1
0
Fork 0
Code Pull Requests Activity

docs: add block common exploits and oauth middleware

Browse Source
This commit is contained in:
Jonas Kaninda
2024-11-08 19:34:28 +01:00
parent 2012ac69a3
commit d4de147524
7 changed files with 98 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@@ -45,9 +45,13 @@ It comes with a lot of integrated features, such as:
- Custom Headers - Custom Headers
- Backend Errors interceptor - Backend Errors interceptor
- Support TLS - Support TLS
- Block common exploits middleware
- Patterns to detect SQL injection attempts
- Pattern to detect simple XSS attempts
- Authentication middleware - Authentication middleware
- JWT `client authorization based on the result of a request` - JWT `client authorization based on the result of a request`
- Basic-Auth - Basic-Auth
- OAuth
- Rate limiting - Rate limiting
- In-Memory Token Bucket based - In-Memory Token Bucket based
- In-Memory client IP based - In-Memory client IP based
@@ -56,8 +60,6 @@ It comes with a lot of integrated features, such as:
- [ ] Distributed Rate Limiting for In-Memory client IP based across multiple instances using Redis - [ ] Distributed Rate Limiting for In-Memory client IP based across multiple instances using Redis
- [ ] Blocklist IP address middleware - [ ] Blocklist IP address middleware
- [x] Block common exploits middleware
- [x] OAuth authentication middleware
---- ----
@@ -72,25 +74,25 @@ The default configuration is automatically generated if any configuration file i
```shell ```shell
docker run --rm --name goma-gateway \ docker run --rm --name goma-gateway \
-v "${PWD}/config:/config" \ -v "${PWD}/config:/etc/goma/" \
jkaninda/goma-gateway config init --output /config/goma.yml jkaninda/goma-gateway config init --output /etc/goma/goma.yml
``` ```
### 2. Run server ### 2. Run server
```shell ```shell
docker run --rm --name goma-gateway \ docker run --rm --name goma-gateway \
-v "${PWD}/config:/config" \ -v "${PWD}/config:/etc/goma/" \
-p 80:80 \ -p 8080:8080 \
jkaninda/goma-gateway server jkaninda/goma-gateway server
``` ```
### 3. Start server with a custom config ### 3. Start server with a custom config
```shell ```shell
docker run --rm --name goma-gateway \ docker run --rm --name goma-gateway \
-v "${PWD}/config:/config" \ -v "${PWD}/config:/etc/goma/" \
-p 80:80 \ -p 8080:8080 \
-p 443:443 \ -p 8443:8443 \
jkaninda/goma-gateway server --config /config/config.yml jkaninda/goma-gateway server --config /etc/goma/config.yml
``` ```
### 4. Healthcheck ### 4. Healthcheck
@@ -111,9 +113,9 @@ services:
start_period: 20s start_period: 20s
timeout: 10s timeout: 10s
ports: ports:
- "80:80" - "8080:8080"
volumes: volumes:
- ./config:/config/ - ./config:/etc/goma/
``` ```
Create a config file in this format Create a config file in this format
@@ -145,6 +147,7 @@ gateway:
disableDisplayRouteOnStart: false disableDisplayRouteOnStart: false
# disableKeepAlive allows enabling and disabling KeepALive server # disableKeepAlive allows enabling and disabling KeepALive server
disableKeepAlive: false disableKeepAlive: false
blockCommonExploits: false
# interceptErrors intercepts backend errors based on defined the status codes # interceptErrors intercepts backend errors based on defined the status codes
interceptErrors: interceptErrors:
- 405 - 405

13
docs/index.md
View File

@@ -20,12 +20,17 @@ It comes with a lot of integrated features, such as:
- Cross-Origin Resource Sharing (CORS) - Cross-Origin Resource Sharing (CORS)
- Custom Headers - Custom Headers
- Backend Errors interceptor - Backend Errors interceptor
- Support TLS
- Block common exploits middleware
- Patterns to detect SQL injection attempts
- Pattern to detect simple XSS attempts
- Authentication middleware - Authentication middleware
- JWT `client authorization based on the result of a request` - JWT `client authorization based on the result of a request`
- Basic-Auth - Basic-Auth
- OAuth
- Rate limiting - Rate limiting
- In-Memory Token Bucket based - In-Memory Token Bucket based
- In-Memory client IP based - In-Memory client IP based
Declare your routes and middlewares as code. Declare your routes and middlewares as code.

55
docs/middleware.md
View File

@@ -18,6 +18,7 @@ Goma Gateway supports :
- Authentication middleware - Authentication middleware
- JWT `client authorization based on the result of a request` - JWT `client authorization based on the result of a request`
- Basic-Auth - Basic-Auth
- OAuth
- Rate limiting middleware - Rate limiting middleware
- In-Memory client IP based - In-Memory client IP based
- Access middleware - Access middleware
@@ -133,6 +134,60 @@ middlewares:
params: params:
userCountryId: countryId userCountryId: countryId
``` ```
### OAuth middleware
Example of Google provider
```yaml
- name: google-oauth
type: oauth
paths:
- /*
rule:
clientId: xxx
clientSecret: xxxx
# oauth provider google, gitlab, github, amazon, facebook, custom
provider: google # facebook, gitlab, github, amazon
redirectUrl: https://example.com/callback/protected
#RedirectPath is the PATH to redirect users after authentication, e.g: /my-protected-path/dashboard
redirectPath: /dashboard
scopes:
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
state: randomStateString
jwtSecret: your-strong-jwt-secret | It's optional
```
Example of Authentik provider
```yaml
- name: oauth-authentik
type: oauth
paths:
- /protected
- /example-of-oauth
rule:
clientId: xxx
clientSecret: xxx
# oauth provider google, gitlab, github, amazon, facebook, custom
provider: custom
endpoint:
authUrl: https://authentik.example.com/application/o/authorize/
tokenUrl: https://authentik.example.com/application/o/token/
userInfoUrl: https://authentik.example.com/application/o/userinfo/
redirectUrl: https://example.com/callback
#RedirectPath is the PATH to redirect users after authentication, e.g: /my-protected-path/dashboard
redirectPath: ''
#CookiePath e.g.: /my-protected-path or / || by default is applied on a route path
cookiePath: "/"
scopes:
- email
- openid
state: randomStateString
jwtSecret: your-strong-jwt-secret | It's optional
```
### Access middleware ### Access middleware
Access middleware prevents access to a route or specific route path. Access middleware prevents access to a route or specific route path.

17
docs/quickstart.md
View File

@@ -11,19 +11,19 @@ nav_order: 2
You can generate the configuration file using `config init --output /config/config.yml` command. You can generate the configuration file using `config init --output /config/config.yml` command.
The default configuration is automatically generated if any configuration file is not provided, and is available at `/config/goma.yml` The default configuration is automatically generated if any configuration file is not provided, and is available at `/etc/goma/goma.yml`
```shell ```shell
docker run --rm --name goma-gateway \ docker run --rm --name goma-gateway \
-v "${PWD}/config:/config" \ -v "${PWD}/config:/etc/goma/" \
jkaninda/goma-gateway config init --output /config/config.yml jkaninda/goma-gateway config init --output /config/config.yml
``` ```
### 3. Start server with a custom config ### 3. Start server with a custom config
```shell ```shell
docker run --rm --name goma-gateway \ docker run --rm --name goma-gateway \
-v "${PWD}/config:/config" \ -v "${PWD}/config:/etc/goma/" \
-p 80:80 \ -p 8080:8080 \
jkaninda/goma-gateway server --config /config/config.yml jkaninda/goma-gateway server --config /config/config.yml
``` ```
### 4. Healthcheck ### 4. Healthcheck
@@ -39,16 +39,16 @@ services:
image: jkaninda/goma-gateway image: jkaninda/goma-gateway
command: server command: server
healthcheck: healthcheck:
test: curl -f http://localhost/readyz || exit 1 test: curl -f http://localhost/health/live || exit 1
interval: 30s interval: 30s
retries: 5 retries: 5
start_period: 20s start_period: 20s
timeout: 10s timeout: 10s
ports: ports:
- "80:80" - "8080:8080"
- "443:443" - "8443:8443"
volumes: volumes:
- ./config:/config/ - ./config:/etc/goma/
``` ```
## Customize configuration file ## Customize configuration file
@@ -79,6 +79,7 @@ gateway:
disableDisplayRouteOnStart: false disableDisplayRouteOnStart: false
# disableKeepAlive allows enabling and disabling KeepALive server # disableKeepAlive allows enabling and disabling KeepALive server
disableKeepAlive: false disableKeepAlive: false
blockCommonExploits: false
# interceptErrors intercepts backend errors based on defined the status codes # interceptErrors intercepts backend errors based on defined the status codes
interceptErrors: interceptErrors:
- 405 - 405

8
examples/compose.yaml
View File

@@ -3,13 +3,13 @@ services:
image: jkaninda/goma-gateway image: jkaninda/goma-gateway
command: server command: server
healthcheck: healthcheck:
test: curl -f http://localhost/readyz || exit 1 test: curl -f http://localhost:8080/health/live || exit 1
interval: 30s interval: 30s
retries: 5 retries: 5
start_period: 20s start_period: 20s
timeout: 10s timeout: 10s
ports: ports:
- "80:80" - "80:8080"
- "443:443" - "443:8443"
volumes: volumes:
- ./config:/config/ - ./config:/etc/goma/

10
examples/kubernetes.yaml
View File

@@ -20,24 +20,24 @@ spec:
memory: "128Mi" memory: "128Mi"
cpu: "200m" cpu: "200m"
ports: ports:
- containerPort: 80 - containerPort: 8080
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /health/live path: /health/live
port: 80 port: 8080
initialDelaySeconds: 15 initialDelaySeconds: 15
periodSeconds: 30 periodSeconds: 30
timeoutSeconds: 10 timeoutSeconds: 10
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /health/live path: /health/live
port: 80 port: 8080
initialDelaySeconds: 15 initialDelaySeconds: 15
periodSeconds: 40 periodSeconds: 30
timeoutSeconds: 10 timeoutSeconds: 10
volumeMounts: volumeMounts:
- name: config - name: config
mountPath: /config/ mountPath: /etc/goma/
volumes: volumes:
- name: config - name: config
configMap: configMap:

1
goma.yml
View File

@@ -22,6 +22,7 @@ gateway:
disableDisplayRouteOnStart: false disableDisplayRouteOnStart: false
# disableKeepAlive allows enabling and disabling KeepALive server # disableKeepAlive allows enabling and disabling KeepALive server
disableKeepAlive: false disableKeepAlive: false
blockCommonExploits: false
# interceptErrors intercepts backend errors based on defined the status codes # interceptErrors intercepts backend errors based on defined the status codes
interceptErrors: interceptErrors:
- 405 - 405