Documentation
¶
Index ¶
- Constants
- Variables
- func InitClientCertMetadataRules(rules []VerifyClientCertificateMetadataRule, certs []*x509.Certificate) error
- func IsLoadBalancingAlgorithmValid(lbAlgo string) bool
- func VerifyClientCertMetadata(rules []VerifyClientCertificateMetadataRule, chains [][]*x509.Certificate, ...) error
- type AccessLog
- type BackendConfig
- type CertSubject
- type Config
- type FormatConfig
- type HTTPRewrite
- type HTTPRewriteResponses
- type HeaderNameValue
- type LoggingConfig
- type NatsConfig
- type NatsHost
- type OAuthConfig
- type PrometheusConfig
- type RouteServiceConfig
- type RoutingApiConfig
- type StatusConfig
- type StatusRoutesConfig
- type StatusTLSConfig
- type StringSet
- type TLSPem
- type Tracing
- type VerifyClientCertificateMetadataRule
Constants ¶
View Source
const ( LOAD_BALANCE_RR string = "round-robin" LOAD_BALANCE_LC string = "least-connection" AZ_PREF_NONE string = "none" AZ_PREF_LOCAL string = "locally-optimistic" SHARD_ALL string = "all" SHARD_SEGMENTS string = "segments" SHARD_SHARED_AND_SEGMENTS string = "shared-and-segments" ALWAYS_FORWARD string = "always_forward" SANITIZE_SET string = "sanitize_set" FORWARD string = "forward" REDACT_QUERY_PARMS_NONE string = "none" REDACT_QUERY_PARMS_ALL string = "all" REDACT_QUERY_PARMS_HASH string = "hash" )
Variables ¶
View Source
var ( LoadBalancingStrategies = []string{LOAD_BALANCE_RR, LOAD_BALANCE_LC} AZPreferences = []string{AZ_PREF_NONE, AZ_PREF_LOCAL} AllowedShardingModes = []string{SHARD_ALL, SHARD_SEGMENTS, SHARD_SHARED_AND_SEGMENTS} AllowedForwardedClientCertModes = []string{ALWAYS_FORWARD, FORWARD, SANITIZE_SET} AllowedQueryParmRedactionModes = []string{REDACT_QUERY_PARMS_NONE, REDACT_QUERY_PARMS_ALL, REDACT_QUERY_PARMS_HASH} )
Functions ¶
func InitClientCertMetadataRules ¶
func InitClientCertMetadataRules(rules []VerifyClientCertificateMetadataRule, certs []*x509.Certificate) error
InitClientCertMetadataRules compares the defined rules against client CAs set in `client_ca_certs`. When a rule is found that does not have a corresponding client CA (based on the CA's subject) that matches the rule, startup will fail.
This is to avoid defining a rule with a minor typo that would then not apply at all and would make the whole additional metadata check moot.
func VerifyClientCertMetadata ¶
func VerifyClientCertMetadata(rules []VerifyClientCertificateMetadataRule, chains [][]*x509.Certificate, logger *slog.Logger) error
VerifyClientCertMetadata checks for the certificate chain received from the tls.Config.VerifyPeerCertificate function callback, whether any configured VerifyClientCertificateMetadataRule applies.
If a rule does apply, it is evaluated.
Returns an error if there is an applicable rule which does not find a valid client certificate subject.
Types ¶
type BackendConfig ¶
type BackendConfig struct {
ClientAuthCertificate tls.Certificate
MaxConns int64 `yaml:"max_conns"`
MaxAttempts int `yaml:"max_attempts"`
TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}
type CertSubject ¶
type CertSubject struct {
Country []string `yaml:"country"`
Organization []string `yaml:"organization"`
OrganizationalUnit []string `yaml:"organizational_unit"`
CommonName string `yaml:"common_name"`
SerialNumber string `yaml:"serial_number"`
Locality []string `yaml:"locality"`
Province []string `yaml:"province"`
StreetAddress []string `yaml:"street_address"`
PostalCode []string `yaml:"postal_code"`
}
CertSubject defines the same fields as pkix.Name and allows YAML declaration of said fields. This is used to express distinguished names for certificate subjects in a comparable manner.
func (CertSubject) ToName ¶
func (c CertSubject) ToName() pkix.Name
ToName converts this CertSubject to a pkix.Name.
type Config ¶
type Config struct {
Status StatusConfig `yaml:"status,omitempty"`
Nats NatsConfig `yaml:"nats,omitempty"`
Logging LoggingConfig `yaml:"logging,omitempty"`
Port uint16 `yaml:"port,omitempty"`
Prometheus PrometheusConfig `yaml:"prometheus,omitempty"`
Index uint `yaml:"index,omitempty"`
Zone string `yaml:"zone,omitempty"`
GoMaxProcs int `yaml:"go_max_procs,omitempty"`
Tracing Tracing `yaml:"tracing,omitempty"`
TraceKey string `yaml:"trace_key,omitempty"`
AccessLog AccessLog `yaml:"access_log,omitempty"`
DebugAddr string `yaml:"debug_addr,omitempty"`
EnablePROXY bool `yaml:"enable_proxy,omitempty"`
EnableSSL bool `yaml:"enable_ssl,omitempty"`
SSLPort uint16 `yaml:"ssl_port,omitempty"`
DisableHTTP bool `yaml:"disable_http,omitempty"`
EnableHTTP2 bool `yaml:"enable_http2"`
EnableHTTP1ConcurrentReadWrite bool `yaml:"enable_http1_concurrent_read_write"`
SSLCertificates []tls.Certificate `yaml:"-"`
TLSPEM []TLSPem `yaml:"tls_pem,omitempty"`
CACerts []string `yaml:"ca_certs,omitempty"`
CAPool *x509.CertPool `yaml:"-"`
ClientCACerts string `yaml:"client_ca_certs,omitempty"`
ClientCAPool *x509.CertPool `yaml:"-"`
SkipSSLValidation bool `yaml:"skip_ssl_validation,omitempty"`
ForwardedClientCert string `yaml:"forwarded_client_cert,omitempty"`
ForceForwardedProtoHttps bool `yaml:"force_forwarded_proto_https,omitempty"`
SanitizeForwardedProto bool `yaml:"sanitize_forwarded_proto,omitempty"`
HopByHopHeadersToFilter []string `yaml:"hop_by_hop_headers_to_filter"`
IsolationSegments []string `yaml:"isolation_segments,omitempty"`
RoutingTableShardingMode string `yaml:"routing_table_sharding_mode,omitempty"`
CipherString string `yaml:"cipher_suites,omitempty"`
CipherSuites []uint16 `yaml:"-"`
MinTLSVersionString string `yaml:"min_tls_version,omitempty"`
MaxTLSVersionString string `yaml:"max_tls_version,omitempty"`
MinTLSVersion uint16 `yaml:"-"`
MaxTLSVersion uint16 `yaml:"-"`
ClientCertificateValidationString string `yaml:"client_cert_validation,omitempty"`
ClientCertificateValidation tls.ClientAuthType `yaml:"-"`
OnlyTrustClientCACerts bool `yaml:"only_trust_client_ca_certs"`
TLSHandshakeTimeout time.Duration `yaml:"tls_handshake_timeout"`
VerifyClientCertificatesBasedOnProvidedMetadata bool `yaml:"enable_verify_client_certificate_metadata,omitempty"`
VerifyClientCertificateMetadataRules []VerifyClientCertificateMetadataRule `yaml:"verify_client_certificate_metadata,omitempty"`
LoadBalancerHealthyThreshold time.Duration `yaml:"load_balancer_healthy_threshold,omitempty"`
PublishStartMessageInterval time.Duration `yaml:"publish_start_message_interval,omitempty"`
PruneStaleDropletsInterval time.Duration `yaml:"prune_stale_droplets_interval,omitempty"`
DropletStaleThreshold time.Duration `yaml:"droplet_stale_threshold,omitempty"`
PublishActiveAppsInterval time.Duration `yaml:"publish_active_apps_interval,omitempty"`
StartResponseDelayInterval time.Duration `yaml:"start_response_delay_interval,omitempty"`
EndpointTimeout time.Duration `yaml:"endpoint_timeout,omitempty"`
EndpointDialTimeout time.Duration `yaml:"endpoint_dial_timeout,omitempty"`
WebsocketDialTimeout time.Duration `yaml:"websocket_dial_timeout,omitempty"`
EndpointKeepAliveProbeInterval time.Duration `yaml:"endpoint_keep_alive_probe_interval,omitempty"`
RouteServiceTimeout time.Duration `yaml:"route_services_timeout,omitempty"`
FrontendIdleTimeout time.Duration `yaml:"frontend_idle_timeout,omitempty"`
ReadHeaderTimeout time.Duration `yaml:"read_header_timeout,omitempty"`
RouteLatencyMetricMuzzleDuration time.Duration `yaml:"route_latency_metric_muzzle_duration,omitempty"`
DrainWait time.Duration `yaml:"drain_wait,omitempty"`
DrainTimeout time.Duration `yaml:"drain_timeout,omitempty"`
SecureCookies bool `yaml:"secure_cookies,omitempty"`
StickySessionCookieNames StringSet `yaml:"sticky_session_cookie_names"`
StickySessionsForAuthNegotiate bool `yaml:"sticky_sessions_for_auth_negotiate"`
HealthCheckUserAgent string `yaml:"healthcheck_user_agent,omitempty"`
OAuth OAuthConfig `yaml:"oauth,omitempty"`
RoutingApi RoutingApiConfig `yaml:"routing_api,omitempty"`
RouteServiceSecret string `yaml:"route_services_secret,omitempty"`
RouteServiceSecretPrev string `yaml:"route_services_secret_decrypt_only,omitempty"`
RouteServiceRecommendHttps bool `yaml:"route_services_recommend_https,omitempty"`
RouteServicesHairpinning bool `yaml:"route_services_hairpinning"`
RouteServicesHairpinningAllowlist []string `yaml:"route_services_hairpinning_allowlist,omitempty"`
RouteServicesServerPort uint16 `yaml:"route_services_internal_server_port"`
// These fields are populated by the `Process` function.
Ip string `yaml:"-"`
RouteServiceEnabled bool `yaml:"-"`
NatsClientPingInterval time.Duration `yaml:"nats_client_ping_interval,omitempty"`
NatsClientMessageBufferSize int `yaml:"-"`
Backends BackendConfig `yaml:"backends,omitempty"`
ExtraHeadersToLog []string `yaml:"extra_headers_to_log,omitempty"`
RouteServiceConfig RouteServiceConfig `yaml:"route_services,omitempty"`
TokenFetcherMaxRetries uint32 `yaml:"token_fetcher_max_retries,omitempty"`
TokenFetcherRetryInterval time.Duration `yaml:"token_fetcher_retry_interval,omitempty"`
TokenFetcherExpirationBufferTimeInSeconds int64 `yaml:"token_fetcher_expiration_buffer_time,omitempty"`
PidFile string `yaml:"pid_file,omitempty"`
LoadBalance string `yaml:"balancing_algorithm,omitempty"`
LoadBalanceAZPreference string `yaml:"balancing_algorithm_az_preference,omitempty"`
DisableKeepAlives bool `yaml:"disable_keep_alives"`
MaxIdleConns int `yaml:"max_idle_conns,omitempty"`
MaxIdleConnsPerHost int `yaml:"max_idle_conns_per_host,omitempty"`
MaxRequestHeaderBytes int `yaml:"max_request_header_bytes"`
MaxResponseHeaderBytes int `yaml:"max_response_header_bytes"`
MaxRequestHeaders int `yaml:"max_request_headers"`
MaxResponseHeaders int `yaml:"max_response_headers"`
KeepAlive100ContinueRequests bool `yaml:"keep_alive_100_continue_requests"`
HTTPRewrite HTTPRewrite `yaml:"http_rewrite,omitempty"`
EmptyPoolResponseCode503 bool `yaml:"empty_pool_response_code_503,omitempty"`
EmptyPoolTimeout time.Duration `yaml:"empty_pool_timeout,omitempty"`
HTMLErrorTemplateFile string `yaml:"html_error_template_file,omitempty"`
// Old metric, to eventually be replaced by prometheus reporting
// reports latency under gorouter sourceid, and with and without component name
PerRequestMetricsReporting bool `yaml:"per_request_metrics_reporting,omitempty"`
// Old metric, to eventually be replaced by prometheus reporting
SendHttpStartStopServerEvent bool `yaml:"send_http_start_stop_server_event,omitempty"`
// Old metric, to eventually be replaced by prometheus reporting
SendHttpStartStopClientEvent bool `yaml:"send_http_start_stop_client_event,omitempty"`
PerAppPrometheusHttpMetricsReporting bool `yaml:"per_app_prometheus_http_metrics_reporting,omitempty"`
HealthCheckPollInterval time.Duration `yaml:"healthcheck_poll_interval"`
HealthCheckTimeout time.Duration `yaml:"healthcheck_timeout"`
}
func DefaultConfig ¶
func InitConfigFromFile ¶
func (*Config) Initialize ¶
func (*Config) NatsServers ¶
func (*Config) RoutingApiEnabled ¶
type FormatConfig ¶
type FormatConfig struct {
Timestamp string `yaml:"timestamp"`
}
type HTTPRewrite ¶
type HTTPRewrite struct {
Responses HTTPRewriteResponses `yaml:"responses,omitempty"`
}
type HTTPRewriteResponses ¶
type HTTPRewriteResponses struct {
AddHeadersIfNotPresent []HeaderNameValue `yaml:"add_headers_if_not_present,omitempty"`
RemoveHeaders []HeaderNameValue `yaml:"remove_headers,omitempty"`
}
type HeaderNameValue ¶
type LoggingConfig ¶
type LoggingConfig struct {
Syslog string `yaml:"syslog"`
SyslogAddr string `yaml:"syslog_addr"`
SyslogNetwork string `yaml:"syslog_network"`
Level string `yaml:"level"`
LoggregatorEnabled bool `yaml:"loggregator_enabled"`
MetronAddress string `yaml:"metron_address"`
DisableLogForwardedFor bool `yaml:"disable_log_forwarded_for"`
DisableLogSourceIP bool `yaml:"disable_log_source_ip"`
RedactQueryParams string `yaml:"redact_query_params"`
EnableAttemptsDetails bool `yaml:"enable_attempts_details"`
Format FormatConfig `yaml:"format"`
// This field is populated by the `Process` function.
JobName string `yaml:"-"`
}
type NatsConfig ¶
type NatsConfig struct {
Hosts []NatsHost `yaml:"hosts"`
User string `yaml:"user"`
Pass string `yaml:"pass"`
TLSEnabled bool `yaml:"tls_enabled"`
CACerts string `yaml:"ca_certs"`
CAPool *x509.CertPool `yaml:"-"`
ClientAuthCertificate tls.Certificate `yaml:"-"`
TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}
type OAuthConfig ¶
type PrometheusConfig ¶
type RouteServiceConfig ¶
type RouteServiceConfig struct {
ClientAuthCertificate tls.Certificate
MaxAttempts int `yaml:"max_attempts"`
StrictSignatureValidation bool `yaml:"strict_signature_validation"`
TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}
type RoutingApiConfig ¶
type RoutingApiConfig struct {
Uri string `yaml:"uri"`
Port int `yaml:"port"`
AuthDisabled bool `yaml:"auth_disabled"`
CACerts string `yaml:"ca_certs"`
CAPool *x509.CertPool `yaml:"-"`
ClientAuthCertificate tls.Certificate
TLSPem `yaml:",inline"` // embed to get cert_chain and private_key for client authentication
}
type StatusConfig ¶
type StatusConfig struct {
Host string `yaml:"host"`
Port uint16 `yaml:"port"`
EnableNonTLSHealthChecks bool `yaml:"enable_nontls_health_checks"`
EnableDeprecatedVarzHealthzEndpoints bool `yaml:"enable_deprecated_varz_healthz_endpoints"`
TLSCert tls.Certificate `yaml:"-"`
TLS StatusTLSConfig `yaml:"tls"`
User string `yaml:"user"`
Pass string `yaml:"pass"`
Routes StatusRoutesConfig `yaml:"routes"`
}
type StatusRoutesConfig ¶
type StatusRoutesConfig struct {
Port uint16 `yaml:"port"`
}
type StatusTLSConfig ¶
type StringSet ¶
type StringSet map[string]struct{}
func (StringSet) MarshalYAML ¶
func (*StringSet) UnmarshalYAML ¶
type VerifyClientCertificateMetadataRule ¶
type VerifyClientCertificateMetadataRule struct {
// The issuer DN , for which the subject validation should apply
CASubject CertSubject `yaml:"issuer_in_chain"`
// The subject DNs that are allowed to be used for mTLS connections to Gorouter
ValidSubjects []CertSubject `yaml:"valid_cert_subjects"`
}
VerifyClientCertificateMetadataRules defines verification rules for client certificates, which allow additional checks for the certificates' subject.
A rule is applied based on the CA certificate's subject. The CA certificate is defined as part of `client_ca_certs` and identified via its subject. See VerifyClientCertMetadata() for the implementation of checks.
For client certificates issued by a CA that matches CASubject, the valid client certificate subjects are defined in ValidSubjects.
Source Files
Click to show internal directories.
Click to hide internal directories.