Documentation ¶
Index ¶
- Constants
- Variables
- func InitClientCertMetadataRules(rules []VerifyClientCertificateMetadataRule, certs []*x509.Certificate) error
- func IsLoadBalancingAlgorithmValid(lbAlgo string) bool
- func VerifyClientCertMetadata(rules []VerifyClientCertificateMetadataRule, chains [][]*x509.Certificate, ...) error
- type AccessLog
- type BackendConfig
- type CertSubject
- type Config
- type FormatConfig
- type HTTPRewrite
- type HTTPRewriteResponses
- type HeaderNameValue
- type LoggingConfig
- type NatsConfig
- type NatsHost
- type OAuthConfig
- type PrometheusConfig
- type RouteServiceConfig
- type RoutingApiConfig
- type StatusConfig
- type StatusRoutesConfig
- type StatusTLSConfig
- type StringSet
- type TLSPem
- type Tracing
- type VerifyClientCertificateMetadataRule
Constants ¶
const ( LOAD_BALANCE_RR string = "round-robin" LOAD_BALANCE_LC string = "least-connection" AZ_PREF_NONE string = "none" AZ_PREF_LOCAL string = "locally-optimistic" SHARD_ALL string = "all" SHARD_SEGMENTS string = "segments" SHARD_SHARED_AND_SEGMENTS string = "shared-and-segments" ALWAYS_FORWARD string = "always_forward" SANITIZE_SET string = "sanitize_set" FORWARD string = "forward" REDACT_QUERY_PARMS_NONE string = "none" REDACT_QUERY_PARMS_ALL string = "all" REDACT_QUERY_PARMS_HASH string = "hash" )
Variables ¶
var ( LoadBalancingStrategies = []string{LOAD_BALANCE_RR, LOAD_BALANCE_LC} AZPreferences = []string{AZ_PREF_NONE, AZ_PREF_LOCAL} AllowedShardingModes = []string{SHARD_ALL, SHARD_SEGMENTS, SHARD_SHARED_AND_SEGMENTS} AllowedForwardedClientCertModes = []string{ALWAYS_FORWARD, FORWARD, SANITIZE_SET} AllowedQueryParmRedactionModes = []string{REDACT_QUERY_PARMS_NONE, REDACT_QUERY_PARMS_ALL, REDACT_QUERY_PARMS_HASH} )
Functions ¶
func InitClientCertMetadataRules ¶
func InitClientCertMetadataRules(rules []VerifyClientCertificateMetadataRule, certs []*x509.Certificate) error
InitClientCertMetadataRules compares the defined rules against client CAs set in `client_ca_certs`. When a rule is found that does not have a corresponding client CA (based on the CA's subject) that matches the rule, startup will fail.
This is to avoid defining a rule with a minor typo that would then not apply at all and would make the whole additional metadata check moot.
func VerifyClientCertMetadata ¶
func VerifyClientCertMetadata(rules []VerifyClientCertificateMetadataRule, chains [][]*x509.Certificate, logger *slog.Logger) error
VerifyClientCertMetadata checks for the certificate chain received from the tls.Config.VerifyPeerCertificate function callback, whether any configured VerifyClientCertificateMetadataRule applies.
If a rule does apply, it is evaluated.
Returns an error if there is an applicable rule which does not find a valid client certificate subject.
Types ¶
type BackendConfig ¶
type BackendConfig struct { ClientAuthCertificate tls.Certificate MaxConns int64 `yaml:"max_conns"` MaxAttempts int `yaml:"max_attempts"` TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication }
type CertSubject ¶
type CertSubject struct { Country []string `yaml:"country"` Organization []string `yaml:"organization"` OrganizationalUnit []string `yaml:"organizational_unit"` CommonName string `yaml:"common_name"` SerialNumber string `yaml:"serial_number"` Locality []string `yaml:"locality"` Province []string `yaml:"province"` StreetAddress []string `yaml:"street_address"` PostalCode []string `yaml:"postal_code"` }
CertSubject defines the same fields as pkix.Name and allows YAML declaration of said fields. This is used to express distinguished names for certificate subjects in a comparable manner.
func (CertSubject) ToName ¶
func (c CertSubject) ToName() pkix.Name
ToName converts this CertSubject to a pkix.Name.
type Config ¶
type Config struct { Status StatusConfig `yaml:"status,omitempty"` Nats NatsConfig `yaml:"nats,omitempty"` Logging LoggingConfig `yaml:"logging,omitempty"` Port uint16 `yaml:"port,omitempty"` Prometheus PrometheusConfig `yaml:"prometheus,omitempty"` Index uint `yaml:"index,omitempty"` Zone string `yaml:"zone,omitempty"` GoMaxProcs int `yaml:"go_max_procs,omitempty"` Tracing Tracing `yaml:"tracing,omitempty"` TraceKey string `yaml:"trace_key,omitempty"` AccessLog AccessLog `yaml:"access_log,omitempty"` DebugAddr string `yaml:"debug_addr,omitempty"` EnablePROXY bool `yaml:"enable_proxy,omitempty"` EnableSSL bool `yaml:"enable_ssl,omitempty"` SSLPort uint16 `yaml:"ssl_port,omitempty"` DisableHTTP bool `yaml:"disable_http,omitempty"` EnableHTTP2 bool `yaml:"enable_http2"` EnableHTTP1ConcurrentReadWrite bool `yaml:"enable_http1_concurrent_read_write"` SSLCertificates []tls.Certificate `yaml:"-"` TLSPEM []TLSPem `yaml:"tls_pem,omitempty"` CACerts []string `yaml:"ca_certs,omitempty"` CAPool *x509.CertPool `yaml:"-"` ClientCACerts string `yaml:"client_ca_certs,omitempty"` ClientCAPool *x509.CertPool `yaml:"-"` SkipSSLValidation bool `yaml:"skip_ssl_validation,omitempty"` ForwardedClientCert string `yaml:"forwarded_client_cert,omitempty"` ForceForwardedProtoHttps bool `yaml:"force_forwarded_proto_https,omitempty"` SanitizeForwardedProto bool `yaml:"sanitize_forwarded_proto,omitempty"` HopByHopHeadersToFilter []string `yaml:"hop_by_hop_headers_to_filter"` IsolationSegments []string `yaml:"isolation_segments,omitempty"` RoutingTableShardingMode string `yaml:"routing_table_sharding_mode,omitempty"` CipherString string `yaml:"cipher_suites,omitempty"` CipherSuites []uint16 `yaml:"-"` MinTLSVersionString string `yaml:"min_tls_version,omitempty"` MaxTLSVersionString string `yaml:"max_tls_version,omitempty"` MinTLSVersion uint16 `yaml:"-"` MaxTLSVersion uint16 `yaml:"-"` ClientCertificateValidationString string `yaml:"client_cert_validation,omitempty"` ClientCertificateValidation tls.ClientAuthType `yaml:"-"` OnlyTrustClientCACerts bool `yaml:"only_trust_client_ca_certs"` TLSHandshakeTimeout time.Duration `yaml:"tls_handshake_timeout"` VerifyClientCertificatesBasedOnProvidedMetadata bool `yaml:"enable_verify_client_certificate_metadata,omitempty"` VerifyClientCertificateMetadataRules []VerifyClientCertificateMetadataRule `yaml:"verify_client_certificate_metadata,omitempty"` LoadBalancerHealthyThreshold time.Duration `yaml:"load_balancer_healthy_threshold,omitempty"` PublishStartMessageInterval time.Duration `yaml:"publish_start_message_interval,omitempty"` PruneStaleDropletsInterval time.Duration `yaml:"prune_stale_droplets_interval,omitempty"` DropletStaleThreshold time.Duration `yaml:"droplet_stale_threshold,omitempty"` PublishActiveAppsInterval time.Duration `yaml:"publish_active_apps_interval,omitempty"` StartResponseDelayInterval time.Duration `yaml:"start_response_delay_interval,omitempty"` EndpointTimeout time.Duration `yaml:"endpoint_timeout,omitempty"` EndpointDialTimeout time.Duration `yaml:"endpoint_dial_timeout,omitempty"` WebsocketDialTimeout time.Duration `yaml:"websocket_dial_timeout,omitempty"` EndpointKeepAliveProbeInterval time.Duration `yaml:"endpoint_keep_alive_probe_interval,omitempty"` RouteServiceTimeout time.Duration `yaml:"route_services_timeout,omitempty"` FrontendIdleTimeout time.Duration `yaml:"frontend_idle_timeout,omitempty"` RouteLatencyMetricMuzzleDuration time.Duration `yaml:"route_latency_metric_muzzle_duration,omitempty"` DrainWait time.Duration `yaml:"drain_wait,omitempty"` DrainTimeout time.Duration `yaml:"drain_timeout,omitempty"` SecureCookies bool `yaml:"secure_cookies,omitempty"` StickySessionCookieNames StringSet `yaml:"sticky_session_cookie_names"` StickySessionsForAuthNegotiate bool `yaml:"sticky_sessions_for_auth_negotiate"` HealthCheckUserAgent string `yaml:"healthcheck_user_agent,omitempty"` OAuth OAuthConfig `yaml:"oauth,omitempty"` RoutingApi RoutingApiConfig `yaml:"routing_api,omitempty"` RouteServiceSecret string `yaml:"route_services_secret,omitempty"` RouteServiceSecretPrev string `yaml:"route_services_secret_decrypt_only,omitempty"` RouteServiceRecommendHttps bool `yaml:"route_services_recommend_https,omitempty"` RouteServicesHairpinning bool `yaml:"route_services_hairpinning"` RouteServicesHairpinningAllowlist []string `yaml:"route_services_hairpinning_allowlist,omitempty"` RouteServicesServerPort uint16 `yaml:"route_services_internal_server_port"` // These fields are populated by the `Process` function. Ip string `yaml:"-"` RouteServiceEnabled bool `yaml:"-"` NatsClientPingInterval time.Duration `yaml:"nats_client_ping_interval,omitempty"` NatsClientMessageBufferSize int `yaml:"-"` Backends BackendConfig `yaml:"backends,omitempty"` ExtraHeadersToLog []string `yaml:"extra_headers_to_log,omitempty"` RouteServiceConfig RouteServiceConfig `yaml:"route_services,omitempty"` TokenFetcherMaxRetries uint32 `yaml:"token_fetcher_max_retries,omitempty"` TokenFetcherRetryInterval time.Duration `yaml:"token_fetcher_retry_interval,omitempty"` TokenFetcherExpirationBufferTimeInSeconds int64 `yaml:"token_fetcher_expiration_buffer_time,omitempty"` PidFile string `yaml:"pid_file,omitempty"` LoadBalance string `yaml:"balancing_algorithm,omitempty"` LoadBalanceAZPreference string `yaml:"balancing_algorithm_az_preference,omitempty"` DisableKeepAlives bool `yaml:"disable_keep_alives"` MaxIdleConns int `yaml:"max_idle_conns,omitempty"` MaxIdleConnsPerHost int `yaml:"max_idle_conns_per_host,omitempty"` MaxHeaderBytes int `yaml:"max_header_bytes"` KeepAlive100ContinueRequests bool `yaml:"keep_alive_100_continue_requests"` HTTPRewrite HTTPRewrite `yaml:"http_rewrite,omitempty"` EmptyPoolResponseCode503 bool `yaml:"empty_pool_response_code_503,omitempty"` EmptyPoolTimeout time.Duration `yaml:"empty_pool_timeout,omitempty"` HTMLErrorTemplateFile string `yaml:"html_error_template_file,omitempty"` // Old metric, to eventually be replaced by prometheus reporting // reports latency under gorouter sourceid, and with and without component name PerRequestMetricsReporting bool `yaml:"per_request_metrics_reporting,omitempty"` // Old metric, to eventually be replaced by prometheus reporting SendHttpStartStopServerEvent bool `yaml:"send_http_start_stop_server_event,omitempty"` // Old metric, to eventually be replaced by prometheus reporting SendHttpStartStopClientEvent bool `yaml:"send_http_start_stop_client_event,omitempty"` PerAppPrometheusHttpMetricsReporting bool `yaml:"per_app_prometheus_http_metrics_reporting,omitempty"` HealthCheckPollInterval time.Duration `yaml:"healthcheck_poll_interval"` HealthCheckTimeout time.Duration `yaml:"healthcheck_timeout"` }
func DefaultConfig ¶
func InitConfigFromFile ¶
func (*Config) Initialize ¶
func (*Config) NatsServers ¶
func (*Config) RoutingApiEnabled ¶
type FormatConfig ¶
type FormatConfig struct {
Timestamp string `yaml:"timestamp"`
}
type HTTPRewrite ¶
type HTTPRewrite struct {
Responses HTTPRewriteResponses `yaml:"responses,omitempty"`
}
type HTTPRewriteResponses ¶
type HTTPRewriteResponses struct { AddHeadersIfNotPresent []HeaderNameValue `yaml:"add_headers_if_not_present,omitempty"` RemoveHeaders []HeaderNameValue `yaml:"remove_headers,omitempty"` }
type HeaderNameValue ¶
type LoggingConfig ¶
type LoggingConfig struct { Syslog string `yaml:"syslog"` SyslogAddr string `yaml:"syslog_addr"` SyslogNetwork string `yaml:"syslog_network"` Level string `yaml:"level"` LoggregatorEnabled bool `yaml:"loggregator_enabled"` MetronAddress string `yaml:"metron_address"` DisableLogForwardedFor bool `yaml:"disable_log_forwarded_for"` DisableLogSourceIP bool `yaml:"disable_log_source_ip"` RedactQueryParams string `yaml:"redact_query_params"` EnableAttemptsDetails bool `yaml:"enable_attempts_details"` Format FormatConfig `yaml:"format"` // This field is populated by the `Process` function. JobName string `yaml:"-"` }
type NatsConfig ¶
type NatsConfig struct { Hosts []NatsHost `yaml:"hosts"` User string `yaml:"user"` Pass string `yaml:"pass"` TLSEnabled bool `yaml:"tls_enabled"` CACerts string `yaml:"ca_certs"` CAPool *x509.CertPool `yaml:"-"` ClientAuthCertificate tls.Certificate `yaml:"-"` TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication }
type OAuthConfig ¶
type PrometheusConfig ¶
type RouteServiceConfig ¶
type RouteServiceConfig struct { ClientAuthCertificate tls.Certificate MaxAttempts int `yaml:"max_attempts"` StrictSignatureValidation bool `yaml:"strict_signature_validation"` TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication }
type RoutingApiConfig ¶
type RoutingApiConfig struct { Uri string `yaml:"uri"` Port int `yaml:"port"` AuthDisabled bool `yaml:"auth_disabled"` CACerts string `yaml:"ca_certs"` CAPool *x509.CertPool `yaml:"-"` ClientAuthCertificate tls.Certificate TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication }
type StatusConfig ¶
type StatusConfig struct { Host string `yaml:"host"` Port uint16 `yaml:"port"` EnableNonTLSHealthChecks bool `yaml:"enable_nontls_health_checks"` EnableDeprecatedVarzHealthzEndpoints bool `yaml:"enable_deprecated_varz_healthz_endpoints"` TLSCert tls.Certificate `yaml:"-"` TLS StatusTLSConfig `yaml:"tls"` User string `yaml:"user"` Pass string `yaml:"pass"` Routes StatusRoutesConfig `yaml:"routes"` }
type StatusRoutesConfig ¶
type StatusRoutesConfig struct {
Port uint16 `yaml:"port"`
}
type StatusTLSConfig ¶
type StringSet ¶
type StringSet map[string]struct{}
func (StringSet) MarshalYAML ¶
func (*StringSet) UnmarshalYAML ¶
type VerifyClientCertificateMetadataRule ¶
type VerifyClientCertificateMetadataRule struct { // The issuer DN , for which the subject validation should apply CASubject CertSubject `yaml:"issuer_in_chain"` // The subject DNs that are allowed to be used for mTLS connections to Gorouter ValidSubjects []CertSubject `yaml:"valid_cert_subjects"` }
VerifyClientCertificateMetadataRules defines verification rules for client certificates, which allow additional checks for the certificates' subject.
A rule is applied based on the CA certificate's subject. The CA certificate is defined as part of `client_ca_certs` and identified via its subject. See VerifyClientCertMetadata() for the implementation of checks.
For client certificates issued by a CA that matches CASubject, the valid client certificate subjects are defined in ValidSubjects.