ong

module

v0.0.97 Latest Latest Go to latest Published: Jun 6, 2024 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/komuw/ong

Links

Open Source Insights

README ¶

ong

Ong is a small http toolkit.

It's name is derived from Tanzanian artiste, Remmy Ongala.

Inspired by; How I Write HTTP Web Services after Eight Years[1][2] by Mat Ryer.

You really should not use this library/toolkit.
Instead, use the Go net/http package; and if you need some extra bits, may I suggest the awesome github.com/gorilla web toolkit.

This library is made just for me, it might be unsafe & it does not generally accept code contributions.

package main

import (
	"context"
	"fmt"
	"net/http"
	"os"

	"github.com/komuw/ong/config"
	"github.com/komuw/ong/log"
	"github.com/komuw/ong/middleware"
	"github.com/komuw/ong/mux"
	"github.com/komuw/ong/server"
)

func main() {
	l := log.New(context.Background(), os.Stdout, 1000)
	secretKey := "super-h@rd-Pas1word"
	opts := config.WithOpts(
		"localhost",
		65081,
		secretKey,
		config.DirectIpStrategy,
		l,
	) // dev options.
	// alternatively for production:
	//   opts := config.LetsEncryptOpts(...)

	mx := mux.New(
		opts,
		nil,
		mux.NewRoute(
			"hello/",
			mux.MethodGet,
			hello("hello world"),
		),
		mux.NewRoute(
			"check/:age/",
			mux.MethodAll,
			check(),
		),
	)

	err := server.Run(mx, opts)
	if err != nil {
		fmt.Println(err)
		os.Exit(1)
	}
}

func hello(msg string) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		cspNonce := middleware.GetCspNonce(r.Context())
		csrfToken := middleware.GetCsrfToken(r.Context())
		fmt.Printf("hello called cspNonce: %s, csrfToken: %s", cspNonce, csrfToken)

		// use msg, which is a dependency specific to this handler
		fmt.Fprint(w, msg)
	}
}

func check() http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		age := mux.Param(r.Context(), "age")
		_, _ = fmt.Fprintf(w, "Age is %s", age)
	}
}

go run -race ./...

A more complete example can be found in the example/ folder.

References:

Features:

The simplest production ready program using ong http toolkit would be something like;

package main

import (
	"context"
	"fmt"
	"net/http"
	"os"

	"github.com/komuw/ong/config"
	"github.com/komuw/ong/log"
	"github.com/komuw/ong/mux"
	"github.com/komuw/ong/server"
)

func main() {
	logger := log.New(context.Background(), os.Stdout, 1000)
	domain := "example.com"
	secretKey := "super-h@rd-Pas1word"
	email := "hey@example.com"
	opts := config.LetsEncryptOpts(
		domain, secretKey, config.DirectIpStrategy, logger, email, []string{domain})

	mx := mux.New(opts, nil, mux.NewRoute("hello/", mux.MethodGet, hello()))
	_ = server.Run(mx, opts)
}

func hello() http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		fmt.Fprint(w, "hello")
	}
}

If you do that, these are the features you would enjoy automatically without doing any extra configuration;

Http server. You get a server that automatically;
- sets GOMEMLIMIT & GOMAXPROCS to match linux container memory & cpu quotas.
- fetches and auto renews TLS certificates from letsencrypt or any other compatible ACME authority.
- serves pprof endpoints that are secured by basic authentication. The secretKey is used as the username and password.
- handles automatic http->https redirection.
- implements robust http timeouts to prevent attacks.
- limits size of request bodies to prevent attacks.
- shutsdown cleanly after receiving termination signals. If running in kubernetes, the shutdown is well co-ordinated to prevent errors.
- Reuses port(SO_REUSEPORT) and reuses address(SO_REUSEADDR). This makes it possible to do zero downtime deploys.
Automatic ratelimiting.
Automatic loadshedding.
Automatic proper handling of CORS
Automatic CSRF protection.
Automatic logging of erroring requests with correlation IDs included. The logging is lightweight so it only logs when an error occurs. Importantly, when the error occurs, it also includes all the log statements that occured before(including the non-error ones). This is possible because ong/log uses a circular buffer
Automatic recovery of panics in http handlers and logging of the same including stack traces.
Automatic addition of the real client IP to request context.
Protection against inadvertent form re-submission.
Automatically sets appropriate secure headers(X-Content-Type-Options, Content-Security-Policy, X-Frame-Options, Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, Referrer-Policy, Strict-Transport-Security)
Automatic addition of TLS fingerprint to request context.
Set's up secure authenticated encrypted http sessions.
Uses a http request multiplexer that;
- panics(during application startup) if there are any conflicting routes.
- has a debugging tool where if given a url, it will return the corresponding http handler for that url.
- can capture path parameters

Those are the automatic ones. There are a few additional features that you can opt into;

A http client that properly handles server-side request forgery attacks.
A cookie package that enables you to work with both plain text cookies and also authenticated encrypted cookies.
A cryptography package that simplifies using authenticated encryption and also hashing.
An errors package that includes error wrapping and stack trace support.
An id package that can generate unique random human friendly identifiers, as well as uuid4(does not leak its creation time) and uuid8(has good database locality).
A log package that implements slog.Logger and is backed by an slog.Handler that stores log messages into a circular buffer.
A sess package that makes it easy to work with http sessions that are backed by tamper-proof & encrypted cookies.
A sync package that makes it easier to work with groups of goroutines working on subtasks of a common task.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
automax Package automax automatically sets GOMEMLIMIT & GOMAXPROCS to match the linux container memory & cpu quotas, if any.	Package automax automatically sets GOMEMLIMIT & GOMAXPROCS to match the linux container memory & cpu quotas, if any.
client Package client provides a HTTP client implementation.	Package client provides a HTTP client implementation.
config Package config provides various parameters(configuration optionals) that can be used to configure ong.	Package config provides various parameters(configuration optionals) that can be used to configure ong.
cookie Package cookie provides utilities for using HTTP cookies.	Package cookie provides utilities for using HTTP cookies.
cry Package cry provides utilities for cryptography.	Package cry provides utilities for cryptography.
errors Package errors implements functions to manipulate errors.	Package errors implements functions to manipulate errors.
example
id Package id generates unique random identifiers.	Package id generates unique random identifiers.
internal
acme Package acme provides automatic access to certificates from ACME-based certificate authorities(like Let's Encrypt).	Package acme provides automatic access to certificates from ACME-based certificate authorities(like Let's Encrypt).
clientip Package clientip provides(in a best effort manner) a client's IP address.	Package clientip provides(in a best effort manner) a client's IP address.
finger Package finger provides(in a best effort manner) a client's TLS fingerprint.	Package finger provides(in a best effort manner) a client's TLS fingerprint.
key Package key implements some common secure functionality.	Package key implements some common secure functionality.
mx Package mx implements a HTTP request multiplexer.	Package mx implements a HTTP request multiplexer.
octx Package octx houses context keys used by multiple ong packages.	Package octx houses context keys used by multiple ong packages.
tst Package tst implements some common test functionality needed across ong.	Package tst implements some common test functionality needed across ong.
log Package log implements a simple logging handler.	Package log implements a simple logging handler.
middleware Package middleware provides helpful functions that implement some common functionalities in http servers.	Package middleware provides helpful functions that implement some common functionalities in http servers.
mux Package mux implements a HTTP request multiplexer.	Package mux implements a HTTP request multiplexer.
server Package server provides HTTP server implementation.	Package server provides HTTP server implementation.
sess Package sess provides an implementation of http sessions that is backed by tamper-proof & encrypted cookies.	Package sess provides an implementation of http sessions that is backed by tamper-proof & encrypted cookies.
sync Package sync provides synchronization, error propagation, and Context cancelation for groups of goroutines working on subtasks of a common task.	Package sync provides synchronization, error propagation, and Context cancelation for groups of goroutines working on subtasks of a common task.