Documentation ¶
Overview ¶
Package validation includes validators to validate values that will propagate to the NGINX configuration.
The validation rules prevent two cases: (1) Invalid values. Such values will cause NGINX to fail to reload the configuration. (2) Malicious values. Such values will cause NGINX to succeed to reload, but will configure NGINX maliciously, outside of the NGF capabilities. For example, configuring NGINX to serve the contents of the file system of its container.
The validation rules are based on the types in the parent config package and how they are used in the NGINX configuration templates. Changes to those might require changing the validation rules.
The rules are much looser for NGINX than for the Gateway API. However, some valid Gateway API values are not valid for NGINX.
Index ¶
- type HTTPNJSMatchValidator
- func (HTTPNJSMatchValidator) ValidateHeaderNameInMatch(name string) error
- func (HTTPNJSMatchValidator) ValidateHeaderValueInMatch(value string) error
- func (HTTPNJSMatchValidator) ValidateMethodInMatch(method string) (valid bool, supportedValues []string)
- func (HTTPNJSMatchValidator) ValidatePathInMatch(path string) error
- func (HTTPNJSMatchValidator) ValidateQueryParamNameInMatch(name string) error
- func (HTTPNJSMatchValidator) ValidateQueryParamValueInMatch(value string) error
- type HTTPRedirectValidator
- func (HTTPRedirectValidator) ValidateHostname(hostname string) error
- func (HTTPRedirectValidator) ValidateRedirectPort(_ int32) error
- func (HTTPRedirectValidator) ValidateRedirectScheme(scheme string) (valid bool, supportedValues []string)
- func (HTTPRedirectValidator) ValidateRedirectStatusCode(statusCode int) (valid bool, supportedValues []string)
- type HTTPRequestHeaderValidator
- type HTTPURLRewriteValidator
- type HTTPValidator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type HTTPNJSMatchValidator ¶
type HTTPNJSMatchValidator struct{}
HTTPNJSMatchValidator validates values used for matching a request. The matching is implemented in NJS (except for path matching), so changes to the implementation change the validation rules here.
func (HTTPNJSMatchValidator) ValidateHeaderNameInMatch ¶
func (HTTPNJSMatchValidator) ValidateHeaderNameInMatch(name string) error
func (HTTPNJSMatchValidator) ValidateHeaderValueInMatch ¶
func (HTTPNJSMatchValidator) ValidateHeaderValueInMatch(value string) error
func (HTTPNJSMatchValidator) ValidateMethodInMatch ¶
func (HTTPNJSMatchValidator) ValidateMethodInMatch(method string) (valid bool, supportedValues []string)
func (HTTPNJSMatchValidator) ValidatePathInMatch ¶
func (HTTPNJSMatchValidator) ValidatePathInMatch(path string) error
ValidatePathInMatch a path used in the location directive.
func (HTTPNJSMatchValidator) ValidateQueryParamNameInMatch ¶
func (HTTPNJSMatchValidator) ValidateQueryParamNameInMatch(name string) error
func (HTTPNJSMatchValidator) ValidateQueryParamValueInMatch ¶
func (HTTPNJSMatchValidator) ValidateQueryParamValueInMatch(value string) error
type HTTPRedirectValidator ¶
type HTTPRedirectValidator struct{}
HTTPRedirectValidator validates values for a redirect, which in NGINX is done with the return directive. For example, return 302 "https://example.com:8080";
func (HTTPRedirectValidator) ValidateHostname ¶ added in v1.2.0
func (HTTPRedirectValidator) ValidateHostname(hostname string) error
func (HTTPRedirectValidator) ValidateRedirectPort ¶
func (HTTPRedirectValidator) ValidateRedirectPort(_ int32) error
func (HTTPRedirectValidator) ValidateRedirectScheme ¶
func (HTTPRedirectValidator) ValidateRedirectScheme(scheme string) (valid bool, supportedValues []string)
ValidateRedirectScheme validates a scheme to be used in the return directive for a redirect. NGINX rules are not restrictive, but it is easier to validate just for two allowed values http and https, dictated by the Gateway API spec.
func (HTTPRedirectValidator) ValidateRedirectStatusCode ¶
func (HTTPRedirectValidator) ValidateRedirectStatusCode(statusCode int) (valid bool, supportedValues []string)
ValidateRedirectStatusCode validates a status code to be used in the return directive for a redirect. NGINX allows 0..999. However, let's be conservative and only allow 301 and 302 (the values allowed by the Gateway API spec). Note that in the future, we might reserve some codes for internal redirects, so better not to allow all possible code values. We can always relax the validation later in case there is a need.
type HTTPRequestHeaderValidator ¶
type HTTPRequestHeaderValidator struct{}
HTTPRequestHeaderValidator validates values for request headers, which in NGINX is done with the proxy_set_header directive.
func (HTTPRequestHeaderValidator) ValidateRequestHeaderName ¶
func (HTTPRequestHeaderValidator) ValidateRequestHeaderName(name string) error
func (HTTPRequestHeaderValidator) ValidateRequestHeaderValue ¶
func (HTTPRequestHeaderValidator) ValidateRequestHeaderValue(value string) error
type HTTPURLRewriteValidator ¶ added in v1.2.0
type HTTPURLRewriteValidator struct{}
HTTPURLRewriteValidator validates values for a URL rewrite.
func (HTTPURLRewriteValidator) ValidateRewritePath ¶ added in v1.2.0
func (HTTPURLRewriteValidator) ValidateRewritePath(path string) error
ValidateRewritePath validates a path used in a URL Rewrite filter.
type HTTPValidator ¶
type HTTPValidator struct { HTTPNJSMatchValidator HTTPRedirectValidator HTTPURLRewriteValidator HTTPRequestHeaderValidator }
HTTPValidator validates values that will propagate into the NGINX configuration http context. The validation rules are based on the nginx/config/http types and how they are used in the configuration templates of the nginx/config package. Changes to those might require changing the validation rules