Documentation
¶
Index ¶
Constants ¶
const Subsystem = "PRXY"
Variables ¶
This section is empty.
Functions ¶
Types ¶
type LocalService ¶
type LocalService interface {
http.Handler
// IsHandling returns true if the local service is handling the given
// request. If one of the local services returns true on this method
// then a request is not forwarded/proxied to any of the remote
// backends.
IsHandling(r *http.Request) bool
}
LocalService is an interface that describes a service that is handled internally by aperture and is not proxied to another backend.
func NewLocalService ¶
NewLocalService creates a new local service.
type PrefixLog ¶
type PrefixLog struct {
// contains filtered or unexported fields
}
PrefixLog logs with a given static string prefix.
func NewRemoteIPPrefixLog ¶
NewRemoteIPPrefixLog returns a new prefix logger that logs the remote IP address.
func (*PrefixLog) Debugf ¶
Debugf formats message according to format specifier and writes to log with LevelDebug.
func (*PrefixLog) Errorf ¶
Errorf formats message according to format specifier and writes to to log with LevelError.
type Proxy ¶
type Proxy struct {
// contains filtered or unexported fields
}
Proxy is a HTTP, HTTP/2 and gRPC handler that takes an incoming request, uses its authenticator to validate the request's headers, and either returns a challenge to the client or forwards the request to another server and proxies the response back to the client.
func New ¶
func New(auth auth.Authenticator, services []*Service, localServices ...LocalService) (*Proxy, error)
New returns a new Proxy instance that proxies between the services specified, using the auth to validate each request's headers and get new challenge headers if necessary.
func (*Proxy) ServeHTTP ¶
func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP checks a client's headers for appropriate authorization and either returns a challenge or forwards their request to the target backend service.
func (*Proxy) UpdateServices ¶
UpdateServices re-configures the proxy to use a new set of backend services.
type Service ¶
type Service struct {
// Name is the name of the LSAT-enabled service.
Name string `long:"name" description:"Name of the LSAT-enabled service"`
// TLSCertPath is the optional path to the service's TLS certificate.
TLSCertPath string `long:"tlscertpath" description:"Path to the service's TLS certificate"`
// Address is the service's IP address and port.
Address string `long:"address" description:"service instance rpc address"`
// Protocol is the protocol that should be used to connect to the
// service. Currently supported is http and https.
Protocol string `long:"protocol" description:"service instance protocol"`
// Auth is the authentication level required for this service to be
// accessed. Valid values are "on" for full authentication, "freebie X"
// for X free requests per IP address before authentication is required
// or "off" for no authentication.
Auth auth.Level `long:"auth" description:"required authentication"`
// HostRegexp is a regular expression that is tested against the 'Host'
// HTTP header field to find out if this service should be used.
HostRegexp string `long:"hostregexp" description:"Regular expression to match the host against"`
// PathRegexp is a regular expression that is tested against the path
// of the URL of a request to find out if this service should be used.
PathRegexp string `long:"pathregexp" description:"Regular expression to match the path of the URL against"`
// Headers is a map of strings that defines header name and values that
// should always be passed to the backend service, overwriting any
// headers with the same name that might have been set by the client
// request.
// If the value of a header field starts with the prefix "!file+hex:",
// the rest of the value is treated as a path to a file and the content
// of that file is sent to the backend with each call (hex encoded).
// If the value starts with the prefix "!file+base64:", the content of
// the file is sent encoded as base64.
Headers map[string]string `long:"headers" description:"Header fields to always pass to the service"`
// Timeout is an optional value that indicates in how many seconds the
// service's caveat should time out relative to the time of creation. So
// if a value of 100 is set, then the timeout will be 100 seconds
// after creation of the LSAT.
Timeout int64 `long:"timeout" description:"An integer value that indicates the number of seconds until the service access expires"`
// Capabilities is the list of capabilities authorized for the service
// at the base tier.
Capabilities string `long:"capabilities" description:"A comma-separated list of the service capabilities authorized for the base tier"`
// Constraints is the set of constraints that will take form of caveats.
// They'll be enforced for a service at the base tier. The key should
// correspond to the caveat's condition.
Constraints map[string]string `long:"constraints" description:"The service constraints to enforce at the base tier"`
// Price is the custom LSAT value in satoshis to be used for the
// service's endpoint.
Price int64 `long:"price" description:"Static LSAT value in satoshis to be used for this service"`
// DynamicPrice holds the config options needed for initialising
// the pricer if a gPRC server is to be used for price data.
DynamicPrice pricer.Config `long:"dynamicprice" description:"Configuration for connecting to the gRPC server to use for the pricer backend"`
// AuthWhitelistPaths is an optional list of regular expressions that
// are matched against the path of the URL of a request. If the request
// URL matches any of those regular expressions, the call is treated as
// if Auth was set to "off". This allows certain RPC methods to not
// require an LSAT token. E.g. the path for a gRPC call looks like this:
// /package_name.ServiceName/MethodName
AuthWhitelistPaths []string `long:"authwhitelistpaths" description:"List of regular expressions for paths that don't require authentication'"`
// contains filtered or unexported fields
}
Service generically specifies configuration data for backend services to the Aperture proxy.
func (*Service) AuthRequired ¶
AuthRequired determines the auth level required for a given request.
func (*Service) ResourceName ¶
ResourceName returns the string to be used to identify which resource a macaroon has access to. If DynamicPrice Enabled option is set to true then the service has further restrictions per resource and so the name will include both the service name and the specific resource name. Otherwise authorisation is only restricted by service name.
Source Files