Teal.Finance/Garcon
|
Opinionated boilerplate all-in-one HTTP server with rate-limiter, Cookies, JWT, CORS, OPA, web traffic, Prometheus export, PProf… for API and static website. |
This library is used by
Rainbow
and other internal projects at Teal.Finance.
Please propose a PR to add here your project that also uses Garcon.
Features
Garcon includes the following middlewares:
- Logging of incoming requests ;
- Rate limiter to prevent requests flooding ;
- JWT management using HttpOnly cookie or Authorization header ;
- Cross-Origin Resource Sharing (CORS) ;
- Authentication rules based on Datalog/Rego files using Open Policy Agent ;
- Web traffic metrics.
Garcon also provides the following features:
- HTTP/REST server for API endpoints (compatible with any Go-standard HTTP handlers) ;
- File server intended for static web files supporting Brotli and AVIF data ;
- Metrics server exporting data to Prometheus (or other compatible monitoring tool) ;
- PProf server for debugging purpose ;
- Error response in JSON format ;
- Chained middlewares (fork of justinas/alice).
CPU profiling
Moreover, Garcon provides a helper feature defer ProbeCPU.Stop()
to investigate CPU consumption issues
thanks to https://github.com/pkg/profile.
In you code, add defer ProbeCPU.Stop()
that will write the cpu.pprof
file.
import "github.com/teal-finance/garcon/pprof"
func myFunctionConsummingLotsOfCPU() {
defer pprof.ProbeCPU.Stop()
// ... lots of sub-functions
}
Install pprof
and browse your cpu.pprof
file:
cd ~/go
go get -u github.com/google/pprof
cd -
pprof -http=: cpu.pprof
Examples
See also a complete real example in the repo
github.com/teal-finance/rainbow.
High-level
The following code uses the high-level function Garcon.RunServer()
.
package main
import "github.com/teal-finance/garcon"
func main() {
g, _ := garcon.New(
garcon.WithURLs("http://localhost:8080/myapp"),
garcon.WithDocURL("/doc"), // URL --> http://localhost:8080/myapp/doc
garcon.WithServerHeader("MyBackendName-1.2.0"),
garcon.WithJWT(hmacSHA256, "FreePlan", 10, "PremiumPlan", 100),
garcon.WithOPA("auth.rego"),
garcon.WithLimiter(10, 30),
garcon.WithPProf(8093),
garcon.WithProm(9093),
garcon.WithDev(),
)
h := handler(g.ResErr, g.JWTChecker)
g.Run(h, 8080)
}
go build -race ./examples/high-level && ./high-level
2021/12/02 08:01:28 Prometheus export http://localhost:9093
2021/12/02 08:01:28 CORS: Set origin prefixes: [http://localhost:8080 http://localhost: http://192.168.1.]
2021/12/02 08:01:28 CORS: Methods=[GET] Headers=[Origin Accept Content-Type Authorization Cookie] Credentials=true MaxAge=86400
2021/12/02 08:01:28 JWT not required for dev. origins: [http://localhost:8080 http://localhost: http://192.168.1.]
2021/12/02 08:01:28 Enable PProf endpoints: http://localhost:8093/debug/pprof
2021/12/02 08:01:28 Create cookie plan=FreePlan domain=localhost secure=false jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuIjoiRnJlZVBsYW4iLCJleHAiOjE2Njk5NjQ0ODh9.elDm_t4vezVgEmS8UFFo_spLJTts7JWybzbyO_aYV3Y
2021/12/02 08:01:28 Create cookie plan=PremiumPlan domain=localhost secure=false jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuIjoiUHJlbWl1bVBsYW4iLCJleHAiOjE2Njk5NjQ0ODh9.ZJG6xSVUZAEUuMbZLPbGrV6nPoAIZQJA89_OE2pZmPE
2021/12/02 08:01:28 Middleware response HTTP header: Set Server MyBackendName-1.2.0
2021/12/02 08:01:28 Middleware RateLimiter: burst=100 rate=5/s
2021/12/02 08:01:28 Middleware logger: requester IP and requested URL
2021/12/02 08:01:28 Server listening on http://localhost:8080
2. Embedded PProf server
Visit the PProf server at http://localhost:8093/debug/pprof providing the following endpoints:
PProf is easy to use with curl
or wget
:
( cd ~ ; go get -u github.com/google/pprof )
curl http://localhost:8093/debug/pprof/allocs > allocs.pprof
pprof -http=: allocs.pprof
wget http://localhost:8093/debug/pprof/heap
pprof -http=: heap
wget http://localhost:8093/debug/pprof/goroutine
pprof -http=: goroutine
See the PProf post (2013) for further explanations.
3. Embedded metrics server
The export port http://localhost:9093/metrics is for the monitoring tools like Prometheus.
4. Static website server
The high-level example is running.
Open http://localhost:8080/myapp with your browser, and play with the API endpoints.
The resources and API endpoints are protected with a HttpOnly cookie.
The high-level example sets the cookie to browsers visiting the index.html
.
func handler(resErr reserr.ResErr, jc *jwtperm.Checker) http.Handler {
r := chi.NewRouter()
// Static website files
ws := webserver.WebServer{Dir: "examples/www", ResErr: resErr}
r.With(jc.SetCookie).Get("/", ws.ServeFile("index.html", "text/html; charset=utf-8"))
r.With(jc.SetCookie).Get("/favicon.ico", ws.ServeFile("favicon.ico", "image/x-icon"))
r.With(jc.ChkCookie).Get("/js/*", ws.ServeDir("text/javascript; charset=utf-8"))
r.With(jc.ChkCookie).Get("/css/*", ws.ServeDir("text/css; charset=utf-8"))
r.With(jc.ChkCookie).Get("/images/*", ws.ServeImages())
// API
r.With(jc.ChkJWT).Get("/api/v1/items", items)
r.With(jc.ChkJWT).Get("/api/v1/ducks", resErr.NotImplemented)
// Other endpoints
r.NotFound(resErr.InvalidPath)
return r
}
5. Enable Authentication
Restart again the high-level example with authentication enabled.
Attention, in this example we use two redundant middlewares: jwtperm
+ opa
using the same JWT.
This is just an example, do not be confused.
go build -race ./examples/high-level && ./high-level -auth
2021/12/02 08:09:47 Prometheus export http://localhost:9093
2021/12/02 08:09:47 CORS: Set origin prefixes: [http://localhost:8080 http://localhost: http://192.168.1.]
2021/12/02 08:09:47 CORS: Methods=[GET] Headers=[Origin Accept Content-Type Authorization Cookie] Credentials=true MaxAge=86400
2021/12/02 08:09:47 JWT not required for dev. origins: [http://localhost:8080 http://localhost: http://192.168.1.]
2021/12/02 08:09:47 Enable PProf endpoints: http://localhost:8093/debug/pprof
2021/12/02 08:09:47 Create cookie plan=FreePlan domain=localhost secure=false jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuIjoiRnJlZVBsYW4iLCJleHAiOjE2Njk5NjQ5ODd9.5tJk2NoHxkG0o_owtMleBcUaR8z1vRx4rxRRqtZUc_Q
2021/12/02 08:09:47 Create cookie plan=PremiumPlan domain=localhost secure=false jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuIjoiUHJlbWl1bVBsYW4iLCJleHAiOjE2Njk5NjQ5ODd9.ifKhbmxQQ64NweL5aQDb_42tvKHwqiEKD-vxHO3KzsM
2021/12/02 08:09:47 OPA: load "examples/sample-auth.rego"
2021/12/02 08:09:47 Middleware OPA: map[sample-auth.rego:package auth
default allow = false
tokens := {"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuIjoiRnJlZVBsYW4iLCJleHAiOjE2Njk5NjQ0ODh9.elDm_t4vezVgEmS8UFFo_spLJTts7JWybzbyO_aYV3Y"} { true }
allow = true { __local0__ = input.token; data.auth.tokens[__local0__] }]
2021/12/02 08:09:47 Middleware response HTTP header: Set Server MyBackendName-1.2.0
2021/12/02 08:09:47 Middleware RateLimiter: burst=100 rate=5/s
2021/12/02 08:09:47 Middleware logger: requester IP and requested URL
2021/12/02 08:09:47 Server listening on http://localhost:8080
Test the API with curl
:
curl -D - http://localhost:8080/myapp/api/v1/items
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Server: MyBackendName-1.2.0
Vary: Origin
X-Content-Type-Options: nosniff
Date: Thu, 02 Dec 2021 07:06:20 GMT
Content-Length: 84
{"error":"Unauthorized",
"path":"/api/v1/items",
"doc":"http://localhost:8080/myapp/doc"}
The corresponding garcon logs:
2021/12/02 08:06:20 in 127.0.0.1:42888 GET /api/v1/items
[cors] 2021/12/02 08:06:20 Handler: Actual request
[cors] 2021/12/02 08:06:20 Actual request no headers added: missing origin
2021/12/02 08:06:20 OPA unauthorize 127.0.0.1:42888 /api/v1/items
2021/12/02 08:06:20 out 127.0.0.1:42888 GET /api/v1/items 1.426916ms c=1 a=1 i=0 h=0
The CORS logs can be disabled by passing debug=false
in cors.Handler(origins, false)
.
The values c=1 a=1 i=0 h=0
measure the web traffic:
c
for the current number of HTTP connections (gauge)
a
for the accumulated HTTP connections that have been in StateActive (counter)
i
for the accumulated HTTP connections that have been in StateIdle (counter)
h
for the accumulated HTTP connections that have been in StateHijacked (counter)
curl -D - http://localhost:8080/myapp/api/v1/items -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuIjoiRnJlZVBsYW4iLCJleHAiOjE2Njk5NjQ0ODh9.elDm_t4vezVgEmS8UFFo_spLJTts7JWybzbyO_aYV3Y'
HTTP/1.1 200 OK
Content-Type: application/json
Server: MyBackendName-1.2.0
Vary: Origin
Date: Thu, 02 Dec 2021 07:10:37 GMT
Content-Length: 25
["item1","item2","item3"]
The corresponding garcon logs:
2021/12/02 08:10:37 in 127.0.0.1:42892 GET /api/v1/items
[cors] 2021/12/02 08:10:37 Handler: Actual request
[cors] 2021/12/02 08:10:37 Actual request no headers added: missing origin
2021/12/02 08:10:37 Authorization header has JWT: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuIjoiRnJlZVBsYW4iLCJleHAiOjE2Njk5NjQ0ODh9.elDm_t4vezVgEmS8UFFo_spLJTts7JWybzbyO_aYV3Y
2021/12/02 08:10:37 JWT Claims: {FreePlan { [] 2022-12-02 08:01:28 +0100 CET <nil> <nil> invalid cookie}}
2021/12/02 08:10:37 JWT has the FreePlan Namespace
2021/12/02 08:10:37 JWT Permission: {10}
2021/12/02 08:10:37 out 127.0.0.1:42892 GET /api/v1/items 1.984568ms c=1 a=1 i=0 h=0
Low-level
⚠ WARNING: This chapter is outdated! ⚠
See the low-level example.
The following code is a bit different to the stuff done
by the high-level function Garcon.Run()
presented in the previous chapter.
The following code is intended to show
Garcon can be customized to meet your specific requirements.
package main
import (
"log"
"net"
"net/http"
"time"
"github.com/go-chi/chi/v5"
"github.com/teal-finance/garcon"
"github.com/teal-finance/garcon/chain"
"github.com/teal-finance/garcon/cors"
"github.com/teal-finance/garcon/limiter"
"github.com/teal-finance/garcon/metrics"
"github.com/teal-finance/garcon/opa"
"github.com/teal-finance/garcon/pprof"
"github.com/teal-finance/garcon/reserr"
"github.com/teal-finance/garcon/webserver"
)
// Garcon settings
const apiDoc = "https://my-dns.co/doc"
const allowedProdOrigin = "https://my-dns.co"
const allowedDevOrigins = "http://localhost: http://192.168.1."
const serverHeader = "MyBackendName-1.2.0"
const authCfg = "examples/sample-auth.rego"
const pprofPort = 8093
const expPort = 9093
const burst, reqMinute = 10, 30
const devMode = true
func main() {
if devMode {
// the following line collects the CPU-profile and writes it in the file "cpu.pprof"
defer pprof.ProbeCPU().Stop()
}
pprof.StartServer(pprofPort)
// Uniformize error responses with API doc
resErr := reserr.New(apiDoc)
middlewares, connState := setMiddlewares(resErr)
// Handles both REST API and static web files
h := handler(resErr)
h = middlewares.Then(h)
runServer(h, connState)
}
func setMiddlewares(resErr reserr.ResErr) (middlewares chain.Chain, connState func(net.Conn, http.ConnState)) {
// Start a metrics server in background if export port > 0.
// The metrics server is for use with Prometheus or another compatible monitoring tool.
metrics := metrics.Metrics{}
middlewares, connState = metrics.StartServer(expPort, devMode)
// Limit the input request rate per IP
reqLimiter := limiter.New(burst, reqMinute, devMode, resErr)
corsConfig := allowedProdOrigin
if devMode {
corsConfig += " " + allowedDevOrigins
}
allowedOrigins := garcon.SplitClean(corsConfig)
middlewares = middlewares.Append(
reqLimiter.Limit,
garcon.ServerHeader(serverHeader),
cors.Handler(allowedOrigins, devMode),
)
// Endpoint authentication rules (Open Policy Agent)
files := garcon.SplitClean(authCfg)
policy, err := opa.New(files, resErr)
if err != nil {
log.Fatal(err)
}
if policy.Ready() {
middlewares = middlewares.Append(policy.Auth)
}
return middlewares, connState
}
// runServer runs in foreground the main server.
func runServer(h http.Handler, connState func(net.Conn, http.ConnState)) {
const mainPort = "8080"
server := http.Server{
Addr: ":" + mainPort,
Handler: h,
TLSConfig: nil,
ReadTimeout: 1 * time.Second,
ReadHeaderTimeout: 1 * time.Second,
WriteTimeout: 1 * time.Second,
IdleTimeout: 1 * time.Second,
MaxHeaderBytes: 222,
TLSNextProto: nil,
ConnState: connState,
ErrorLog: log.Default(),
BaseContext: nil,
ConnContext: nil,
}
log.Print("Server listening on http://localhost", server.Addr)
log.Fatal(server.ListenAndServe())
}
// handler creates the mapping between the endpoints and the handler functions.
func handler(resErr reserr.ResErr) http.Handler {
r := chi.NewRouter()
// Static website files
ws := webserver.WebServer{Dir: "examples/www", ResErr: resErr}
r.Get("/", ws.ServeFile("index.html", "text/html; charset=utf-8"))
r.Get("/js/*", ws.ServeDir("text/javascript; charset=utf-8"))
r.Get("/css/*", ws.ServeDir("text/css; charset=utf-8"))
r.Get("/images/*", ws.ServeImages())
// API
r.Get("/api/v1/items", items)
r.Get("/api/v1/ducks", resErr.NotImplemented)
// Other endpoints
r.NotFound(resErr.InvalidPath)
return r
}
func items(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Content-Type", "application/json")
_, _ = w.Write([]byte(`["item1","item2","item3"]`))
}
License
LGPL-3.0-or-later:
GNU Lesser General Public License v3.0 or later
(tl;drLegal,
Choosealicense.com).
See the LICENSE file.
Except:
- the example files under CC0-1.0 (Creative Commons Zero v1.0 Universal) ;
- the file chain.go (fork) under the MIT License.
- the file cookie.go (fork) under the MIT License.