gateway

package

v1.148.0 Latest Latest Go to latest Published: Aug 11, 2023 License: Apache-2.0 Imports: 30 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/PaloAltoNetworks/bahamut

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type ErrorWriter
type Gateway
- func New(listenAddr string, upstreamer Upstreamer, options ...Option) (Gateway, error)
type InterceptorAction
type InterceptorFunc
type LatencyBasedUpstreamer
type LimiterMetricManager
type Option
type RateExtractor
type RequestRewriter
type ResponseRewriter
type SourceExtractor
- func NewDefaultSourceExtractor(authCookieName string) SourceExtractor
type Upstreamer

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrUpstreamerTooManyRequests = errors.New("Please retry in a moment")

ErrUpstreamerTooManyRequests can be returned to instruct the bahamut.Gateway to return to stop routing and return a a 429 Too Many Request error to the client.

Functions ¶

This section is empty.

Types ¶

type ErrorWriter ¶

type ErrorWriter func(w http.ResponseWriter, r *http.Request, eerr elemental.Error)

ErrorWriter is a function that can be used to return a standard formatted error to the client.

func New ¶

func New(listenAddr string, upstreamer Upstreamer, options ...Option) (Gateway, error)

New returns a new Gateway.

type InterceptorAction ¶

type InterceptorAction int

A InterceptorAction represents the decision on how to continue handling the request

const (
	// InterceptorActionForward means the Gateway will continue forwarding the request.
	// In that case the Interceptor must only modify the request, and MUST NOT use
	// the HTTP response writer.
	InterceptorActionForward InterceptorAction = iota + 1

	// InterceptorActionForwardWS means the Gateway will continue forwarding the request as a websocket.
	// In that case the Interceptor must only modify the request, and MUST NOT use
	// the HTTP response writer.
	InterceptorActionForwardWS

	// InterceptorActionForwardDirect means the Gateway will continue forwarding the request directly.
	// In that case the Interceptor must only modify the request, and MUST NOT use
	// the HTTP response writer.
	InterceptorActionForwardDirect

	// InterceptorActionStop means the interceptor handled the request
	// and the gateway will not do anything more.
	InterceptorActionStop
)

type InterceptorFunc ¶

type InterceptorFunc func(w http.ResponseWriter, req *http.Request, ew ErrorWriter, corsInjector func()) (action InterceptorAction, upstream string, err error)

An InterceptorFunc is a function that can be used to intercept and request based on its prefix and apply custom operation and returns an InterceptorAction to tell the gateway it should proceed from there. If it returns an error, the error is returned to the client as an internal server error.

The given corsInjector function can be called if you wish your response to contain the CORS information the gateway would normally add. This is mandatory if you add your own headers in the interceptor. Otherwise, the gateway will add the CORS information for you.

NOTE: It is not possible to rewrite the request. To do so, you can use a RequestRewriter.

type LatencyBasedUpstreamer ¶

type LatencyBasedUpstreamer interface {
	CollectLatency(address string, responseTime time.Duration)
	Upstreamer
}

A LatencyBasedUpstreamer is the interface that can circle back response time as an input for Upstreamer decision.

type LimiterMetricManager ¶ added in v1.122.0

type LimiterMetricManager interface {
	RegisterLimitedConnection()
	RegisterAcceptedConnection()
}

A LimiterMetricManager is used to compute metrics for the various limiters that support it.

type Option ¶

type Option func(*gwconfig)

A Option represents possible options for the Gateway.

func OptionAdditionnalAllowedCORSOrigin ¶

func OptionAdditionnalAllowedCORSOrigin(origins []string) Option

OptionAdditionnalAllowedCORSOrigin sets allowed CORS origin. If set, the gateway will mirror whatever is in the upcoming request Origin header as long as there is a match.

func OptionAllowedCORSOrigin ¶

func OptionAllowedCORSOrigin(origin string) Option

OptionAllowedCORSOrigin sets allowed CORS origin. If set to CORSOriginMirror the gateway will mirror whatever is set in the upcoming request Origin header. This is not secure to be used in production when a browser is calling the gateway.

By default, it is set to CORSOriginMirror.

func OptionBlockOpenTracingHeaders ¶

func OptionBlockOpenTracingHeaders(block bool) Option

OptionBlockOpenTracingHeaders configures if the gateway should strip any open tracing related header coming from the clients.

func OptionCORSAllowCredentials ¶ added in v1.121.0

func OptionCORSAllowCredentials(allow bool) Option

OptionCORSAllowCredentials sets if the header Access-Control-Allow-Credentials should be set to true.

By default, it is set to true.

func OptionEnableMaintenance ¶

func OptionEnableMaintenance(enabled bool) Option

OptionEnableMaintenance enables the maintenance mode.

func OptionEnableProxyProtocol ¶

func OptionEnableProxyProtocol(enabled bool, subnet string) Option

OptionEnableProxyProtocol enables and configure the support for ProxyProtocol.

func OptionEnableTrace ¶

func OptionEnableTrace(enabled bool) Option

OptionEnableTrace enables deep oxy logging.

func OptionExposePrivateAPIs ¶

func OptionExposePrivateAPIs(enabled bool) Option

OptionExposePrivateAPIs configures if the gateway should expose the private apis.

func OptionHTTPTimeouts ¶

func OptionHTTPTimeouts(read, write, idle time.Duration, disableKeepAlive bool) Option

OptionHTTPTimeouts configures the HTTP timeouts.

func OptionMetricsManager ¶

func OptionMetricsManager(metricsManager bahamut.MetricsManager) Option

OptionMetricsManager registers set the MetricsManager to use. This will enable response time load balancing of endpoints.

func OptionRegisterExactInterceptor ¶

func OptionRegisterExactInterceptor(path string, f InterceptorFunc) Option

OptionRegisterExactInterceptor registers a given InterceptorFunc for the given path.

func OptionRegisterPrefixInterceptor ¶

func OptionRegisterPrefixInterceptor(prefix string, f InterceptorFunc) Option

OptionRegisterPrefixInterceptor registers a given InterceptorFunc for the given path prefix.

func OptionRegisterSuffixInterceptor ¶

func OptionRegisterSuffixInterceptor(prefix string, f InterceptorFunc) Option

OptionRegisterSuffixInterceptor registers a given InterceptorFunc for the given path suffix.

func OptionServerTLSConfig ¶

func OptionServerTLSConfig(tlsConfig *tls.Config) Option

OptionServerTLSConfig sets the tls.Config to use for the front end server.

func OptionSetCustomRequestRewriter ¶

func OptionSetCustomRequestRewriter(r RequestRewriter) Option

OptionSetCustomRequestRewriter sets a custom RequestRewriter.

func OptionSetCustomResponseRewriter ¶

func OptionSetCustomResponseRewriter(r ResponseRewriter) Option

OptionSetCustomResponseRewriter sets a custom ResponseRewriter.

func OptionSourceRateLimiting ¶

func OptionSourceRateLimiting(rps rate.Limit, burst int) Option

OptionSourceRateLimiting sets the rate limit for a single source. If OptionSourceRateLimiting option is used, this option has no effect.

func OptionSourceRateLimitingDynamic ¶

func OptionSourceRateLimitingDynamic(rateExtractor RateExtractor) Option

OptionSourceRateLimitingDynamic sets the RateExtractor to use to dynamically set the rates for a uniquely identified client. If this option is used, OptionSourceRateLimiting has no effect.

func OptionSourceRateLimitingManager ¶ added in v1.122.0

func OptionSourceRateLimitingManager(m LimiterMetricManager) Option

OptionSourceRateLimitingManager sets the LimiterMetricManager to use to get metrics on the source rate limiter.

func OptionSourceRateLimitingSourceExtractor ¶

func OptionSourceRateLimitingSourceExtractor(sourceExtractor SourceExtractor) Option

OptionSourceRateLimitingSourceExtractor configures a custom SourceExtractor to decide how to uniquely identify a client. The default one uses a hash of the authorization header. Passing nil will reset to the default source extractor.

func OptionTCPClientMaxConnections ¶

func OptionTCPClientMaxConnections(maxConnections int) Option

OptionTCPClientMaxConnections sets the maximum number of TCP connections a client can do at the same time. 0 means no limit. If the sourceExtractor is nil, the default one will be used, which uses the request's RemoteAddr as token.

func OptionTCPClientMaxConnectionsSourceExtractor ¶

func OptionTCPClientMaxConnectionsSourceExtractor(sourceExtractor SourceExtractor) Option

OptionTCPClientMaxConnectionsSourceExtractor sets the source extractor to use to uniquely identify a client TCP connection. The default one uses the http.Request RemoteAddr property. Passing nil will reset to the default source extractor.

func OptionTCPGlobalRateLimiting ¶

func OptionTCPGlobalRateLimiting(cps rate.Limit, burst int) Option

OptionTCPGlobalRateLimiting enables and configures the TCP rate limiter to the rate of the total number of TCP connection the gateway handle.

func OptionTCPGlobalRateLimitingManager ¶ added in v1.122.0

func OptionTCPGlobalRateLimitingManager(m LimiterMetricManager) Option

OptionTCPGlobalRateLimitingManager sets the LimiterMetricManager to use to get metrics on the TCP global rate limiter.

func OptionTrustForwardHeader ¶

func OptionTrustForwardHeader(trust bool) Option

OptionTrustForwardHeader configures if the gateway should strip the X-Forwarded-For header or not.

func OptionUpstreamConfig ¶

func OptionUpstreamConfig(
	upstreamMaxConnsPerHost int,
	upstreamMaxIdleConns int,
	upstreamMaxIdleConnsPerHost int,
	upstreamTLSHandshakeTimeout time.Duration,
	upstreamIdleConnTimeout time.Duration,
	upstreamCircuitBreakerCond string,
	useHTTP2 bool,
) Option

OptionUpstreamConfig configures the connections to the upstream backends.

func OptionUpstreamEnableCompression ¶

func OptionUpstreamEnableCompression(enable bool) Option

OptionUpstreamEnableCompression enables using compression between the gateway and the upstreams. This can lead to performance issues.

func OptionUpstreamTLSConfig ¶

func OptionUpstreamTLSConfig(tlsConfig *tls.Config) Option

OptionUpstreamTLSConfig sets the tls.Config to use for the upstream servers.

func OptionUpstreamURLScheme ¶

func OptionUpstreamURLScheme(scheme string) Option

OptionUpstreamURLScheme sets the URL scheme to use to connect to the upstreams. default is https.

type RateExtractor ¶

type RateExtractor interface {

	// ExtractRates will be called to decide what would be the rate to
	// given a request.
	ExtractRates(r *http.Request) (rate.Limit, int, error)
}

A RateExtractor is used to decide rates per token. This allows to perform advanced computation to determine how to rate limit one unique client.

type RequestRewriter ¶

type RequestRewriter func(req *httputil.ProxyRequest, private bool) error

A RequestRewriter can be used to rewrite the request before it is sent to the upstream. The private parameter tells if the gateway is configured or not to serve the private APIs.

type ResponseRewriter ¶

type ResponseRewriter func(*http.Response) error

A ResponseRewriter can be used to rewrite the response before it is sent back to the client

type SourceExtractor ¶

type SourceExtractor interface {

	// ExtractSource will be called to decide what would be the rate to
	// given a request.
	ExtractSource(req *http.Request) (token string, err error)
}

A SourceExtractor is used to extract a token (or key) used to keep track of a single source.

func NewDefaultSourceExtractor ¶ added in v1.140.0

func NewDefaultSourceExtractor(authCookieName string) SourceExtractor

NewDefaultSourceExtractor returns a default SourceExtractor. A source extractor will discriminate the source of a request based on a hash of its authentication string. It will first use an eventual cookie with the given name, then use then use the Authorization header. If both are empty, the bucket key will be 'default'. If authCookieName is empty, only the value of the Authorization header will be taken into account.

type Upstreamer ¶

type Upstreamer interface {

	// Upstream is called by the bahamut.Gateway for each incoming request
	// in order to find which upstream to forward the request to, based
	// on the incoming http.Request and any other details the implementation
	// whishes to. Needless to say, it must be fast or it would severely degrade
	// the performances of the bahamut.Gateway.
	//
	// The request state must not be changed from this function.
	//
	// The returned upstream is a string in the form "https://10.3.19.4".
	// If it is empty, the bahamut.Gayeway will return a
	// 503 Service Unavailable error.
	//
	// If Upstream returns an error, the bahamut.Gayeway will check for a
	// known ErrUpstreamerX and will act accordingly. Otherwise it will
	// return the error as a 500 Internal Server Error.
	Upstream(req *http.Request) (upstream string, err error)
}

An Upstreamer is the interface that can compute upstreams.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
upstreamer
push

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL