smokescreen

package
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2022 License: MIT Imports: 31 Imported by: 1

Documentation

Overview

From https://github.com/sirupsen/logrus/issues/436

Index

Constants

View Source 
const (
	LogFieldID               = "id"
	LogFieldOutLocalAddr     = "outbound_local_addr"
	LogFieldOutRemoteAddr    = "outbound_remote_addr"
	LogFieldInRemoteAddr     = "inbound_remote_addr"
	LogFieldProxyType        = "proxy_type"
	LogFieldRequestedHost    = "requested_host"
	LogFieldStartTime        = "start_time"
	LogFieldTraceID          = "trace_id"
	LogFieldInRemoteX509CN   = "inbound_remote_x509_cn"
	LogFieldInRemoteX509OU   = "inbound_remote_x509_ou"
	LogFieldRole             = "role"
	LogFieldProject          = "project"
	LogFieldContentLength    = "content_length"
	LogFieldDecisionReason   = "decision_reason"
	LogFieldEnforceWouldDeny = "enforce_would_deny"
	LogFieldAllow            = "allow"
	LogFieldError            = "error"
	CanonicalProxyDecision   = "CANONICAL-PROXY-DECISION"
	LogFieldConnEstablishMS  = "conn_establish_time_ms"
	LogFieldDNSLookupTime    = "dns_lookup_time_ms"
)
View Source 
const DefaultStatsdNamespace = "smokescreen."

Variables

View Source 
var PrivateRuleRanges []RuleRange
View Source 
var VersionID = "unknown"

This can be set at build time: go build -ldflags='-X github.com/stripe/smokescreen/pkg/smokescreen.VersionID=33955a3' .

Functions

func BuildProxy 

func BuildProxy(config *Config) *goproxy.ProxyHttpServer

func HTTPErrorHandler 

func HTTPErrorHandler(w io.WriteCloser, pctx *goproxy.ProxyCtx, err error)

HTTPErrorHandler allows returning a custom error response when smokescreen fails to connect to the proxy target.

func IsMissingRoleError 

func IsMissingRoleError(err error) bool

func MissingRoleError 

func MissingRoleError(s string) error

func NewTimeoutConn 

func NewTimeoutConn(conn net.Conn, timeout time.Duration) net.Conn

func StartWithConfig 

func StartWithConfig(config *Config, quit <-chan interface{})

func Version 

func Version() string

Types

type Config 

type Config struct {
	Ip                   string
	Port                 uint16
	Listener             net.Listener
	DenyRanges           []RuleRange
	AllowRanges          []RuleRange
	Resolver             *net.Resolver
	ConnectTimeout       time.Duration
	ExitTimeout          time.Duration
	MetricsClient        *MetricsClient
	EgressACL            acl.Decider
	SupportProxyProtocol bool
	TlsConfig            *tls.Config
	CrlByAuthorityKeyId  map[string]*pkix.CertificateList
	RoleFromRequest      func(subject *http.Request) (string, error)

	AdditionalErrorMessageOnDeny string
	Log                          *log.Logger
	DisabledAclPolicyActions     []string
	AllowMissingRole             bool
	StatsSocketDir               string
	StatsSocketFileMode          os.FileMode
	StatsServer                  *StatsServer // StatsServer
	ConnTracker                  *conntrack.Tracker
	Healthcheck                  http.Handler // User defined http.Handler for optional requests to a /healthcheck endpoint
	ShuttingDown                 atomic.Value // Stores a boolean value indicating whether the proxy is actively shutting down

	// Network type to use when performing DNS lookups. Must be one of "ip", "ip4" or "ip6".
	Network string

	// A connection is idle if it has been inactive (no bytes in/out) for this many seconds.
	IdleTimeout time.Duration

	// These are *only* used for traditional HTTP proxy requests
	TransportMaxIdleConns        int
	TransportMaxIdleConnsPerHost int

	// Used for logging connection time
	TimeConnect bool

	// Custom Dial Timeout function to be called
	ProxyDialTimeout func(ctx context.Context, network, address string, timeout time.Duration) (net.Conn, error)

	// Customer handler to allow clients to modify reject responses
	RejectResponseHandler func(*http.Response)

	// UnsafeAllowPrivateRanges inverts the default behavior, telling smokescreen to allow private IP
	// ranges by default (exempting loopback and unicast ranges)
	// This setting can be used to configure Smokescreen with a blocklist, rather than an allowlist
	UnsafeAllowPrivateRanges bool
	// contains filtered or unexported fields
}

func LoadConfig 

func LoadConfig(filePath string) (*Config, error)

func NewConfig 

func NewConfig() *Config

func (*Config) SetAllowAddresses 

func (config *Config) SetAllowAddresses(addressStrings []string) error

func (*Config) SetAllowRanges 

func (config *Config) SetAllowRanges(rangeStrings []string) error

func (*Config) SetDenyAddresses 

func (config *Config) SetDenyAddresses(addressStrings []string) error

func (*Config) SetDenyRanges 

func (config *Config) SetDenyRanges(rangeStrings []string) error

func (*Config) SetResolverAddresses 

func (config *Config) SetResolverAddresses(resolverAddresses []string) error

func (*Config) SetupCrls 

func (config *Config) SetupCrls(crlFiles []string) error

func (*Config) SetupEgressAcl 

func (config *Config) SetupEgressAcl(aclFile string) error

func (*Config) SetupStatsd 

func (config *Config) SetupStatsd(addr string) error

func (*Config) SetupStatsdWithNamespace 

func (config *Config) SetupStatsdWithNamespace(addr, namespace string) error

func (*Config) SetupTls 

func (config *Config) SetupTls(certFile, keyFile string, clientCAFiles []string) error

certFile and keyFile may be the same file containing concatenated PEM blocks

func (*Config) UnmarshalYAML 

func (c *Config) UnmarshalYAML(unmarshal func(interface{}) error) error

type ExitStatus 

type ExitStatus int

ExitStatus is used to log Smokescreen's connection status at shutdown time 

const (
	Closed ExitStatus = iota
	Idle
	Timeout
)

func (ExitStatus) String 

func (e ExitStatus) String() string

type HealthcheckMiddleware 

type HealthcheckMiddleware struct {
	Proxy       http.Handler
	Healthcheck http.Handler
}

HealthcheckMiddleware allows a user defined http.Handler to be invoked by requests to the /healthcheck endpoint. This function is set in the smokescreen config.

func (HealthcheckMiddleware) ServeHTTP 

func (h HealthcheckMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request)

type Log2LogrusWriter 

type Log2LogrusWriter struct {
	Entry *logrus.Entry
}

func (*Log2LogrusWriter) Write 

func (w *Log2LogrusWriter) Write(b []byte) (int, error)

type MetricsClient added in v0.0.3 

type MetricsClient struct {
	StatsdClient statsd.ClientInterface
	// contains filtered or unexported fields
}

MetricsClient is a thin wrapper around statsd.ClientInterface. It is used to allow adding arbitrary tags to Smokescreen metrics.

MetricsClient is not thread safe and should not be used concurrently.

func NewMetricsClient added in v0.0.3 

func NewMetricsClient(addr, namespace string) (*MetricsClient, error)

NewMetricsClient creates a new MetricsClient with the provided statsd address and namespace.

func NewNoOpMetricsClient added in v0.0.3 

func NewNoOpMetricsClient() *MetricsClient

NewNoOpMetricsClient returns a MetricsClient with a no-op statsd client. This can be used when there's no statsd service available to smokescreen.

func (*MetricsClient) AddMetricTags added in v0.0.3 

func (mc *MetricsClient) AddMetricTags(metric string, mTags []string) error

AddMetricTags associates the provided tags slice with a given metric. The metric must be present in the metrics slice.

This function is not thread safe, and adding persitent tags should only be done while initializing the configuration and prior to running smokescreen.

func (*MetricsClient) GetMetricTags added in v0.0.3 

func (mc *MetricsClient) GetMetricTags(metric string) []string

GetMetricTags returns the slice of metrics associated with a given metric.

func (*MetricsClient) Incr added in v0.0.3 

func (mc *MetricsClient) Incr(metric string, rate float64) error

func (*MetricsClient) IncrWithTags added in v0.0.3 

func (mc *MetricsClient) IncrWithTags(metric string, tags []string, rate float64) error

func (*MetricsClient) Timing added in v0.0.3 

func (mc *MetricsClient) Timing(metric string, d time.Duration, rate float64) error

func (*MetricsClient) TimingWithTags added in v0.0.3 

func (mc *MetricsClient) TimingWithTags(metric string, d time.Duration, rate float64, tags []string) error

type RuleRange 

type RuleRange struct {
	Net  net.IPNet
	Port int
}

type StatsServer 

type StatsServer struct {
	// contains filtered or unexported fields
}

func StartStatsServer 

func StartStatsServer(config *Config) *StatsServer

func (*StatsServer) Serve 

func (s *StatsServer) Serve()

func (*StatsServer) ServeHTTP 

func (s *StatsServer) ServeHTTP(w http.ResponseWriter, req *http.Request)

func (*StatsServer) Shutdown 

func (s *StatsServer) Shutdown()

type TimeoutConn 

type TimeoutConn struct {
	net.Conn
	// contains filtered or unexported fields
}

func (*TimeoutConn) Read 

func (tc *TimeoutConn) Read(b []byte) (int, error)

func (*TimeoutConn) Write 

func (tc *TimeoutConn) Write(b []byte) (int, error)

Source Files

View all Source files

Directories

Path Synopsis
acl
v1

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.