3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

proxy: add support for spdy upgrades (#1203)

Browse source
This commit is contained in:
Travis Groth 2020-08-04 13:26:14 -04:00 committed by GitHub
parent 5653a398de
commit 7a53e6bb42
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 121 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config/policy.go
View file

@ -51,6 +51,9 @@ type Policy struct {
// Caution: Enabling this feature could result in abuse via DOS attacks.
AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets,omitempty"`
// AllowSPDY enables proxying of SPDY upgrade requests
AllowSPDY bool `mapstructure:"allow_spdy" yaml:"allow_spdy,omitempty"`
// TLSSkipVerify controls whether a client verifies the server's certificate
// chain and host name.
// If TLSSkipVerify is true, TLS accepts any certificate presented by the

1
docs/guides/kubernetes.md
View file

@ -193,6 +193,7 @@ The policy should be a base64-encoded block of yaml:
- from: https://k8s.localhost.pomerium.io:30443
to: https://kubernetes.default.svc
tls_skip_verify: true
allow_spdy: true
allowed_domains:
- pomerium.com
kubernetes_service_account_token: "..." #$(kubectl get secret/"$(kubectl get serviceaccount/pomerium -o json | jq -r '.secrets[0].name')" -o json | jq -r .data.token | base64 -d)

28
docs/reference/readme.md
View file

@ -1134,16 +1134,6 @@ Note: This setting will replace (not append) the system's trust store for a give
Pomerium supports client certificates which can be used to enforce [mutually authenticated and encrypted TLS connections](https://en.wikipedia.org/wiki/Mutual_authentication) (mTLS). For more details, see our [mTLS example repository](https://github.com/pomerium/examples/tree/master/mutual-tls) and the [certificate docs](../docs/topics/certificates.md).
### Websocket Connections
- Config File Key: `allow_websockets`
- Type: `bool`
- Default: `false`
If set, enables proxying of websocket connections.
**Use with caution:** By definition, websockets are long-lived connections, so [global timeouts](#global-timeouts) are not enforced. Allowing websocket connections to the proxy could result in abuse via [DOS attacks](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/).
### Pass Identity Headers
- `yaml`/`json` setting: `pass_identity_headers`
@ -1156,6 +1146,24 @@ When enabled, this option will pass the identity headers to the downstream appli
- X-Pomerium-Jwt-Assertion
- X-Pomerium-Claim-*
### SPDY
- Config File Key: `allow_spdy`
- Type: `bool`
- Default: `false`
If set, enables proxying of SPDY protocol upgrades.
### Websocket Connections
- Config File Key: `allow_websockets`
- Type: `bool`
- Default: `false`
If set, enables proxying of websocket connections.
**Use with caution:** By definition, websockets are long-lived connections, so [global timeouts](#global-timeouts) are not enforced. Allowing websocket connections to the proxy could result in abuse via [DOS attacks](https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/).
## Authorize Service
### Authenticate Service URL

10
internal/controlplane/xds_routes.go
View file

@ -140,10 +140,16 @@ func buildPolicyRoutes(options *config.Options, domain string) []*envoy_config_r
ClusterSpecifier: &envoy_config_route_v3.RouteAction_Cluster{
Cluster: clusterName,
},
UpgradeConfigs: []*envoy_config_route_v3.RouteAction_UpgradeConfig{{
UpgradeConfigs: []*envoy_config_route_v3.RouteAction_UpgradeConfig{
{
UpgradeType: "websocket",
Enabled: &wrappers.BoolValue{Value: policy.AllowWebsockets},
}},
},
{
UpgradeType: "spdy/3.1",
Enabled: &wrappers.BoolValue{Value: policy.AllowSPDY},
},
},
HostRewriteSpecifier: &envoy_config_route_v3.RouteAction_AutoHostRewrite{
AutoHostRewrite: &wrappers.BoolValue{Value: !policy.PreserveHostHeader},
},

117
internal/controlplane/xds_routes_test.go
View file

@ -248,6 +248,21 @@ func Test_buildPolicyRoutes(t *testing.T) {
UpstreamTimeout: time.Minute,
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL("https://example.com")},
Path: "/some/path",
AllowSPDY: true,
PreserveHostHeader: true,
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL("https://example.com")},
Path: "/some/path",
AllowSPDY: true,
AllowWebsockets: true,
PreserveHostHeader: true,
PassIdentityHeaders: true,
},
},
}, "example.com")
@ -270,10 +285,10 @@ func Test_buildPolicyRoutes(t *testing.T) {
"autoHostRewrite": true,
"cluster": "policy-701142725541ce1f",
"timeout": "3s",
"upgradeConfigs": [{
"enabled": false,
"upgradeType": "websocket"
}]
"upgradeConfigs": [
{ "enabled": false, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
}
},
{
@ -293,10 +308,10 @@ func Test_buildPolicyRoutes(t *testing.T) {
"autoHostRewrite": false,
"cluster": "policy-35b6cce9d52d36ed",
"timeout": "0s",
"upgradeConfigs": [{
"enabled": true,
"upgradeType": "websocket"
}]
"upgradeConfigs": [
{ "enabled": true, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
}
},
{
@ -316,10 +331,10 @@ func Test_buildPolicyRoutes(t *testing.T) {
"autoHostRewrite": true,
"cluster": "policy-8935ca8067709cf7",
"timeout": "60s",
"upgradeConfigs": [{
"enabled": false,
"upgradeType": "websocket"
}]
"upgradeConfigs": [
{ "enabled": false, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
},
"requestHeadersToAdd": [{
"append": false,
@ -349,10 +364,10 @@ func Test_buildPolicyRoutes(t *testing.T) {
"autoHostRewrite": true,
"cluster": "policy-45c2908c3d6f0e52",
"timeout": "3s",
"upgradeConfigs": [{
"enabled": false,
"upgradeType": "websocket"
}]
"upgradeConfigs": [
{ "enabled": false, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
}
},
{
@ -372,12 +387,58 @@ func Test_buildPolicyRoutes(t *testing.T) {
"autoHostRewrite": true,
"cluster": "policy-8935ca8067709cf7",
"timeout": "60s",
"upgradeConfigs": [{
"enabled": false,
"upgradeType": "websocket"
}]
"upgradeConfigs": [
{ "enabled": false, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
},
"requestHeadersToRemove": ["HEADER-KEY"]
},
{
"name": "policy-6",
"match": {
"path": "/some/path"
},
"metadata": {
"filterMetadata": {
"envoy.filters.http.lua": {
"remove_pomerium_authorization": true,
"remove_pomerium_cookie": "pomerium"
}
}
},
"route": {
"autoHostRewrite": false,
"cluster": "policy-35b6cce9d52d36ed",
"timeout": "3s",
"upgradeConfigs": [
{ "enabled": false, "upgradeType": "websocket"},
{ "enabled": true, "upgradeType": "spdy/3.1"}
]
}
},
{
"name": "policy-7",
"match": {
"path": "/some/path"
},
"metadata": {
"filterMetadata": {
"envoy.filters.http.lua": {
"remove_pomerium_authorization": true,
"remove_pomerium_cookie": "pomerium"
}
}
},
"route": {
"autoHostRewrite": false,
"cluster": "policy-35b6cce9d52d36ed",
"timeout": "0s",
"upgradeConfigs": [
{ "enabled": true, "upgradeType": "websocket"},
{ "enabled": true, "upgradeType": "spdy/3.1"}
]
}
}
]
`, routes)
@ -417,10 +478,10 @@ func TestAddOptionsHeadersToResponse(t *testing.T) {
"autoHostRewrite": true,
"cluster": "policy-701142725541ce1f",
"timeout": "3s",
"upgradeConfigs": [{
"enabled": false,
"upgradeType": "websocket"
}]
"upgradeConfigs": [
{ "enabled": false, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
},
"responseHeadersToAdd": [{
"append": false,
@ -467,10 +528,10 @@ func Test_buildPolicyRoutesWithDestinationPath(t *testing.T) {
"prefixRewrite": "/bar",
"cluster": "policy-605b7be39724cb4f",
"timeout": "3s",
"upgradeConfigs": [{
"enabled": false,
"upgradeType": "websocket"
}]
"upgradeConfigs": [
{ "enabled": false, "upgradeType": "websocket"},
{ "enabled": false, "upgradeType": "spdy/3.1"}
]
}
}
]