hmacproxy

command module

v0.0.0-...-6c707f9 Latest Latest Go to latest Published: Oct 8, 2015 License: CC0-1.0 Imports: 12 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/18F/hmacproxy

Links

Open Source Insights

README ¶

hmacproxy HMAC authentication proxy server

Proxy server that signs and authenticates HTTP requests using an HMAC signature; uses the github.com/18F/hmacauth Go package.

Installation

For now, install from source:

$ go get github.com/18F/hmacproxy

Testing out locally

The following will authenticate local requests and return a status of 202 if everything works. Change the values for -secret, -sign-header, and -headers to simulate authentication failures.

In the first shell:

$ hmacproxy -port 8081 -secret "foobar" -sign-header "X-Signature" -auth

127.0.0.1:8081: responding Accepted/Unauthorized for auth queries

In the second shell:

$ hmacproxy -port 8080 -secret "foobar" -sign-header "X-Signature" \
  -upstream http://localhost:8081/

127.0.0.1:8080: proxying signed requests to: http://localhost:8081/

In the third shell:

$ curl -i localhost:8080/18F/hmacproxy

HTTP/1.1 202 Accepted
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Date: Mon, 05 Oct 2015 15:32:56 GMT

Signing outgoing requests

$ hmacproxy -port 8080 -secret "foobar" -sign-header "X-Signature" \
  -upstream https://my-upstream.com/

Validating incoming requests

All of the following require the -auth flag.

Proxying to an upstream server

$ hmacproxy -port 8080 -secret "foobar" -sign-header "X-Signature" \
  -upstream https://my-upstream.com/ -auth

Serving files directly

$ hmacproxy -port 8080 -secret "foobar" -sign-header "X-Signature" \
  -file-root /path/to/my/files -auth

Returning an Accepted/Unauthorized status

This should be compatible with the Nginx ngx_http_auth_request_module by using an auth_request directive to proxy to the hmacproxy.

$ hmacproxy -port 8080 -secret "foobar" -sign-header "X-Signature" -auth

Then add configuration such as the following to your nginx instance, where:

PORT is replaced with the port number of your service
myservice.com is replaced with the virtual server name for your service
ssl/star.myservice.com.conf contains the SSL configuration for your server.
http://127.0.0.1:8080 matches the address of the local hmacproxy instance from above
The X-Original-URI header is added to the authentication request, defined using the builtin $request_uri nginx variable.

server {
  listen PORT ssl spdy;
  server_name  myservice.com;

  include ssl/star.myservice.com.conf;

  location = /auth {
    internal;
    proxy_pass http://127.0.0.1:8080;
    proxy_set_header X-Original-URI $request_uri;
  }

  location / {
    auth_request /auth;
    ...
  }
}

Accepting incoming requests over SSL

If you wish to expose the proxy endpoints directly to the public, rather than via an Nginx proxy scheme, pass the -ssl-cert and -ssl-key options along all other -auth parameters.

Public domain

This project is in the worldwide public domain. As stated in CONTRIBUTING:

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL