README
¶
github.com/dioad/net
A comprehensive Go library providing production-ready networking utilities, authentication, authorization, and security features for building robust networked applications.
Overview
dioad/net is a feature-rich networking library that simplifies building secure, observable, and maintainable network services in Go.
It provides implementations of common networking patterns, authentication mechanisms, and security protocols.
Core Features
🔐 Authentication & Authorization
- Multiple Auth Methods: Basic auth, HMAC, JWT, OIDC
- HTTP Auth Handlers: Easy-to-use middleware for protecting HTTP endpoints
- OIDC Integration: Full OpenID Connect support with claim-based authorization
- OAuth2 Support: Seamless OAuth2 token handling and validation
- GitHub Actions OIDC: Native support for GitHub Actions OIDC token validation
- Fly.io OIDC: Support for Fly.io identity tokens
🌐 HTTP Server
- HTTP/HTTPS Server: HTTP server based on
gorilla/muxwith TLS support - UNIX Socket Support: Listen on UNIX domain sockets (via
Serve) - Middleware Stack: CORS, logging, metrics, header marshaling
- Resource-based Routing: Clean RESTful resource handlers
- Proxy Protocol Support: Load balancer integration via PROXY protocol
- Metrics: Built-in Prometheus metrics collection
🔒 TLS/Security
- Certificate Management: Generate, load, and validate X.509 certificates
- Self-Signed Certificates: Easy self-signed certificate generation for testing
- Automatic Certificate Management: ACME protocol support via Let's Encrypt (
autocert) - Client Configuration: Secure TLS client setup with custom verification
- Server Configuration: TLS server setup with certificate rotation
📧 SMTP/Email Security
- Domain Security Records: SPF, DKIM, DMARC, MTA-STS, TLS-RPT support
- Email Authentication: DKIM signing and verification utilities
- DNS Record Generation: Template-based record rendering for email security
🔍 DNS Utilities
- DNS-over-HTTPS (DoH): Privacy-focused DNS resolution
- IP Utilities: IP address manipulation and validation
- Blocklist Lookups: Spam/blocklist checking via DNS (Spamhaus)
🛡️ Network Authorization
- IP-based ACLs: Network access control lists with allow/deny rules
- Principal-based Authorization: User and role-based access control
- Rate Limiting: Per-principal rate limiting for network and HTTP services
- Prefix Lists: Support for cloud provider IP ranges (AWS, Google Cloud, Azure, Fastly, Cloudflare, Atlassian, GitLab, Hetzner)
- Automatic Updates: Background refresh of cloud provider prefix lists
📊 Metrics
- Connection Metrics: Track bytes sent/received per connection
- Listener Metrics: Network listener statistics
- Prometheus Integration: Native Prometheus metrics export
🔧 Connection Utilities
- Connection Lifecycle: Helpers for proper connection cleanup (
DoneConn) - Context Integration: Context-aware connection operations
Quick Start
Basic HTTP Server with Authentication
import (
"github.com/dioad/net/http"
"github.com/dioad/net/http/auth/basic"
)
// Create a basic auth map
authMap := basic.AuthMap{}
authMap.AddUserWithPlainPassword("user1", "password1")
// Create auth handler
authHandler, _ := basic.NewHandlerWithMap(authMap)
// Create server with basic auth middleware
config := http.Config{ListenAddress: ":8080"}
server := http.NewServer(config)
server.AddHandler("/protected", authHandler.Wrap(myHandler))
OIDC/JWT Authentication
import (
"github.com/dioad/net/http"
"github.com/dioad/net/oidc"
)
// Create OIDC validator configuration
validatorConfig := oidc.ValidatorConfig{
EndpointConfig: oidc.EndpointConfig{
Type: "githubactions",
URL: "https://token.actions.githubusercontent.com",
},
Audiences: []string{"https://github.com/my-org"},
Issuer: "https://token.actions.githubusercontent.com",
}
// Create server with OIDC validator as global middleware
config := http.Config{ListenAddress: ":8080"}
server := http.NewServer(config, http.WithOAuth2Validator([]oidc.ValidatorConfig{validatorConfig}))
server.AddHandler("/secure", myHandler)
IP-based Access Control
import (
"github.com/dioad/net/authz"
)
// Create network ACL
acl, _ := authz.NewNetworkACL(authz.NetworkACLConfig{
AllowedNets: []string{"10.0.0.0/8"},
DeniedNets: []string{"10.0.0.5"},
})
// Check if IP is authorised
if authorised, _ := acl.AuthoriseFromString(clientIP); authorised {
// Allow access
}
Rate Limiting (HTTP)
import (
"github.com/dioad/net/http"
"github.com/rs/zerolog/log"
)
// Create rate limiter (1 request per second, burst of 5)
limiter := http.NewRateLimiter(1.0, 5, log.Logger)
// Use as middleware for a specific principal
handler := limiter.Middleware("user1")(myHandler)
// Or use middleware that extracts principal from context
// contextHandler := limiter.MiddlewareFromContext(authContextKey)(myHandler)
Rate Limiting (Dynamic)
import (
"github.com/dioad/net/ratelimit"
"github.com/dioad/net/http"
"github.com/rs/zerolog/log"
)
// Implement RateLimitSource
type mySource struct{}
func (s *mySource) GetLimit(principal string) (float64, int, bool) {
if principal == "premium" {
return 100.0, 100, true
}
return 1.0, 5, true
}
// Create rate limiter with custom source
limiter := http.NewRateLimiterWithSource(&mySource{}, log.Logger)
Rate Limiting (Network)
import (
"net"
"github.com/dioad/net/ratelimit"
"github.com/rs/zerolog/log"
)
// Create a generic rate limiter (10 connections per second, burst of 20)
rl := ratelimit.NewRateLimiter(10.0, 20, log.Logger)
// Wrap an existing listener with rate limiting (by source IP)
ln, _ := net.Listen("tcp", ":8080")
rlListener := ratelimit.NewListener(ln, rl, log.Logger)
// Use the rate-limited listener
// http.Serve(rlListener, myHandler)
TLS Configuration
import (
"context"
"github.com/dioad/net/http"
"github.com/dioad/net/tls"
)
// Configure TLS
tlsServerConfig := tls.ServerConfig{
CertFile: "/path/to/cert.pem",
KeyFile: "/path/to/key.pem",
}
tlsConfig, _ := tls.NewServerTLSConfig(context.Background(), tlsServerConfig)
// Create server with TLS
config := http.Config{
ListenAddress: ":443",
TLSConfig: tlsConfig,
}
server := http.NewServer(config)
More Examples
For more comprehensive, executable examples, see the examples/ directory:
- Basic HTTP Server - HTTP server with basic authentication
- OIDC Authentication - OpenID Connect/JWT authentication
- IP-based Access Control - Network ACLs for IP filtering
- HTTP Rate Limiting - Per-principal HTTP rate limiting
- Dynamic Rate Limiting - Rate limiting with custom sources
- Network Rate Limiting - Network-level rate limiting
- TLS Configuration - TLS setup with self-signed certificates
- GitHub Actions OIDC - GitHub Actions OIDC token handling
All examples are standalone executable Go programs that can be run with go run ./examples/... or built with go build ./examples/....
Package Structure
authz/- Authorization utilities (ACLs, principal checks, IP filtering)dns/- DNS utilities (DoH, IP utilities, blocklist checks)http/- HTTP server and clientauth/- Authentication handlers (Basic, HMAC, GitHub, OIDC)authz/- Authorization middleware (IP-based, JWT-based, Principal-based)resource/- Resource-based request handlers
ratelimit/- Generic per-principal rate limiting logicmetrics/- Prometheus metrics collectionoidc/- OpenID Connect client library and validationflyio/- Fly.io identity integrationgithubactions/- GitHub Actions OIDC integration
smtp/- SMTP/email security (DKIM, DMARC, SPF, MTA-STS)tls/- TLS certificate management and ACME support
Requirements
- Go 1.24 or later
- Standard Go dependencies (see
go.mod)
License
See LICENSE file for details.
Documentation
¶
Overview ¶
Package net provides production-ready networking utilities, authentication, authorization, and security features.
Index ¶
- Variables
- func AddrPortDetailsFromString(addrPort string) (netip.AddrPort, string, error)
- func ConvertAddrToIP(addr netip.Addr) net.IP
- func ExpandStringTemplate(templateString string, data any) (string, error)
- func FindInterfaceForAddr(a netip.Addr) (string, error)
- func FindInterfaceForIP(ip net.IP) (string, error)
- func FindTCPConn(c RawConn) *net.TCPConn
- func GetMyIPs(ctx context.Context) ([]netip.Addr, error)
- func GetMyIPsFromFuncs(ctx context.Context, funcs ...GetIPFunc) ([]netip.Addr, error)
- func GetMyIPv4(ctx context.Context) (netip.Addr, error)
- func GetMyIPv6(ctx context.Context) (netip.Addr, error)
- func TCPAddrFromURL(url *url.URL) (string, error)
- func TCPPortFromURL(url *url.URL) (string, error)
- type DoneConn
- type GetIPFunc
- type RawConn
Constants ¶
This section is empty.
Variables ¶
View Source
var ( // TODO: change this to ipv4.myip.dioad.net(A) ipv6.myip.dioad.net (AAAA) and myip.dioad.net(A and AAAA) // IPv4ICanHazIP is the URL to fetch the public IPv4 address. IPv4ICanHazIP = "http://ipv4.icanhazip.com" // IPv6ICanHazIP is the URL to fetch the public IPv6 address. IPv6ICanHazIP = "http://ipv6.icanhazip.com" )
Functions ¶
func AddrPortDetailsFromString ¶
AddrPortDetailsFromString takes a string representation of an address:port combination and returns the parsed netip.AddrPort, the network interface name that contains this address, and any error encountered during parsing or interface lookup. The input string should be in the format "IP:port" (e.g., "192.168.1.1:8080" or "[::1]:80"). Returns an empty AddrPort and empty string if an error occurs.
func ConvertAddrToIP ¶
ConvertAddrToIP converts a netip.Addr to a net.IP.
func ExpandStringTemplate ¶
ExpandStringTemplate expands a template string with the provided data.
func FindInterfaceForAddr ¶
FindInterfaceForAddr returns the network interface name that contains the given address.
func FindInterfaceForIP ¶
FindInterfaceForIP returns the network interface name that contains the given IP address.
func FindTCPConn ¶ added in v0.46.0
FindTCPConn recursively finds and returns the underlying *net.TCPConn from a RawConn.
func GetMyIPsFromFuncs ¶ added in v0.45.3
GetMyIPsFromFuncs fetches the public IP addresses using the provided functions.
func TCPAddrFromURL ¶
TCPAddrFromURL returns a TCP address in the form of "host:port" from a given URL.
Types ¶
type DoneConn ¶ added in v0.44.0
DoneConn is a connection wrapper that provides a channel that is closed when the connection is closed.
func NewConnWithCloser ¶
NewConnWithCloser wraps a net.Conn with a function that is called when the connection is closed.
func NewDoneConn ¶ added in v0.44.0
NewDoneConn creates a new DoneConn wrapping the provided net.Conn.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package authz provides network-based and principal-based access control utilities.
|
Package authz provides network-based and principal-based access control utilities. |
|
prefixlist
Package prefixlist provides utilities for fetching and managing IP prefix lists from various cloud providers.
|
Package prefixlist provides utilities for fetching and managing IP prefix lists from various cloud providers. |
|
Package dns provides DNS-related utilities, including DNS-over-HTTPS and IP reverse lookups.
|
Package dns provides DNS-related utilities, including DNS-over-HTTPS and IP reverse lookups. |
|
examples
|
|
|
basic-http-server
command
|
|
|
githubactions-oidc/client
command
|
|
|
githubactions-oidc/validator
command
|
|
|
ip-acl
command
|
|
|
oidc-auth
command
|
|
|
rate-limiting-dynamic
command
|
|
|
rate-limiting-http
command
|
|
|
rate-limiting-network
command
|
|
|
tls-config
command
|
|
|
Package http provides an HTTP server and client with built-in support for metrics, authentication, and structured logging.
|
Package http provides an HTTP server and client with built-in support for metrics, authentication, and structured logging. |
|
auth
Package auth provides HTTP authentication utilities and interfaces.
|
Package auth provides HTTP authentication utilities and interfaces. |
|
auth/basic
Package basic provides HTTP Basic authentication middleware and utilities.
|
Package basic provides HTTP Basic authentication middleware and utilities. |
|
auth/context
Package context provides utilities for managing authentication information in context.
|
Package context provides utilities for managing authentication information in context. |
|
auth/github
Package github provides GitHub-based authentication middleware.
|
Package github provides GitHub-based authentication middleware. |
|
auth/hmac
Package hmac provides HMAC-based authentication middleware.
|
Package hmac provides HMAC-based authentication middleware. |
|
auth/oidc
Package oidc provides HTTP authentication using OpenID Connect.
|
Package oidc provides HTTP authentication using OpenID Connect. |
|
authz/ip
Package ip provides IP-based authorization middleware.
|
Package ip provides IP-based authorization middleware. |
|
authz/principal
Package principal provides principal-based authorization middleware.
|
Package principal provides principal-based authorization middleware. |
|
json
Package json provides utilities for handling JSON requests and responses.
|
Package json provides utilities for handling JSON requests and responses. |
|
pprof
Package pprof provides an HTTP resource for exposing pprof debugging endpoints.
|
Package pprof provides an HTTP resource for exposing pprof debugging endpoints. |
|
Package metrics provides utilities for tracking network connection and listener metrics.
|
Package metrics provides utilities for tracking network connection and listener metrics. |
|
Package oidc provides an OpenID Connect (OIDC) client and utilities for token validation and management.
|
Package oidc provides an OpenID Connect (OIDC) client and utilities for token validation and management. |
|
dkim
Package dkim provides utilities for working with DKIM (DomainKeys Identified Mail) records.
|
Package dkim provides utilities for working with DKIM (DomainKeys Identified Mail) records. |
|
Package tls provides utilities for working with TLS certificates and configurations.
|
Package tls provides utilities for working with TLS certificates and configurations. |
Click to show internal directories.
Click to hide internal directories.