Documentation
¶
Index ¶
Constants ¶
const ( // DefaultMaxCacheSize is the default maximum number of rate limiter // entries to keep in the LRU cache. DefaultMaxCacheSize = 10_000 )
const Subsystem = "PRXY"
Variables ¶
This section is empty.
Functions ¶
func ExtractRateLimitKey ¶ added in v0.4.1
ExtractRateLimitKey extracts the rate-limiting key from a request. For authenticated requests, it uses the L402 token ID. For unauthenticated requests, it falls back to the client IP address.
IMPORTANT: The authenticated parameter should only be true if the L402 token has been validated by the authenticator. Using unvalidated L402 tokens as keys is a DoS vector since attackers can flood the cache with garbage tokens.
Types ¶
type LocalService ¶
type LocalService interface {
http.Handler
// IsHandling returns true if the local service is handling the given
// request. If one of the local services returns true on this method
// then a request is not forwarded/proxied to any of the remote
// backends.
IsHandling(r *http.Request) bool
}
LocalService is an interface that describes a service that is handled internally by aperture and is not proxied to another backend.
func NewLocalService ¶
NewLocalService creates a new local service.
type PrefixLog ¶
type PrefixLog struct {
// contains filtered or unexported fields
}
PrefixLog logs with a given static string prefix.
func NewRemoteIPPrefixLog ¶
NewRemoteIPPrefixLog returns a new prefix logger that logs the remote IP address.
func (*PrefixLog) Debugf ¶
Debugf formats message according to format specifier and writes to log with LevelDebug.
func (*PrefixLog) Errorf ¶
Errorf formats message according to format specifier and writes to to log with LevelError.
type Proxy ¶
type Proxy struct {
// contains filtered or unexported fields
}
Proxy is a HTTP, HTTP/2 and gRPC handler that takes an incoming request, uses its authenticator to validate the request's headers, and either returns a challenge to the client or forwards the request to another server and proxies the response back to the client.
func New ¶
func New(auth auth.Authenticator, services []*Service, blocklist []string, localServices ...LocalService) (*Proxy, error)
New returns a new Proxy instance that proxies between the services specified, using the auth to validate each request's headers and get new challenge headers if necessary.
func (*Proxy) ServeHTTP ¶
func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request)
ServeHTTP checks a client's headers for appropriate authorization and either returns a challenge or forwards their request to the target backend service.
func (*Proxy) UpdateServices ¶
UpdateServices re-configures the proxy to use a new set of backend services.
type RateLimitConfig ¶ added in v0.4.1
type RateLimitConfig struct {
// PathRegexp is a regular expression that matches request paths
// to which this rate limit applies. If empty, matches all paths.
PathRegexp string `long:"pathregexp" description:"Regular expression to match the path of the URL against for rate limiting"`
// Requests is the number of requests allowed per time window (Per).
Requests int `long:"requests" description:"Number of requests allowed per time window"`
// Per is the time window duration (e.g., 1s, 1m, 1h). Defaults to 1s.
Per time.Duration `long:"per" description:"Time window for rate limiting (e.g., 1s, 1m, 1h)"`
// Burst is the maximum number of requests that can be made in a burst,
// exceeding the steady-state rate. Defaults to Requests if not set.
Burst int `long:"burst" description:"Maximum burst size (defaults to Requests if not set)"`
// contains filtered or unexported fields
}
RateLimitConfig defines a rate limiting rule for a specific path pattern.
func (*RateLimitConfig) EffectiveBurst ¶ added in v0.4.1
func (r *RateLimitConfig) EffectiveBurst() int
EffectiveBurst returns the burst value, defaulting to Requests if Burst is 0.
func (*RateLimitConfig) Matches ¶ added in v0.4.1
func (r *RateLimitConfig) Matches(path string) bool
Matches returns true if the given path matches this rate limit's path pattern.
func (*RateLimitConfig) Rate ¶ added in v0.4.1
func (r *RateLimitConfig) Rate() float64
Rate returns the rate.Limit value (requests per second) for this configuration.
type RateLimiter ¶ added in v0.4.1
type RateLimiter struct {
// contains filtered or unexported fields
}
RateLimiter manages per-key rate limiters with LRU eviction.
func NewRateLimiter ¶ added in v0.4.1
func NewRateLimiter(serviceName string, configs []*RateLimitConfig, opts ...RateLimiterOption) *RateLimiter
NewRateLimiter creates a new RateLimiter with the given configurations.
func (*RateLimiter) Allow ¶ added in v0.4.1
Allow checks if a request should be allowed based on all matching rate limits. Returns (allowed, retryAfter) where retryAfter is the suggested duration to wait if denied.
func (*RateLimiter) Size ¶ added in v0.4.1
func (rl *RateLimiter) Size() int
Size returns the current number of entries in the cache.
type RateLimiterOption ¶ added in v0.4.1
type RateLimiterOption func(*RateLimiter)
RateLimiterOption is a functional option for configuring a RateLimiter.
func WithMaxCacheSize ¶ added in v0.4.1
func WithMaxCacheSize(size int) RateLimiterOption
WithMaxCacheSize sets the maximum cache size.
type Service ¶
type Service struct {
// Name is the name of the L402-enabled service.
Name string `long:"name" description:"Name of the L402-enabled service"`
// TLSCertPath is the optional path to the service's TLS certificate.
TLSCertPath string `long:"tlscertpath" description:"Path to the service's TLS certificate"`
// Address is the service's IP address and port.
Address string `long:"address" description:"service instance rpc address"`
// Protocol is the protocol that should be used to connect to the
// service. Currently supported is http and https.
Protocol string `long:"protocol" description:"service instance protocol"`
// Auth is the authentication level required for this service to be
// accessed. Valid values are "on" for full authentication, "freebie X"
// for X free requests per IP address before authentication is required
// or "off" for no authentication.
Auth auth.Level `long:"auth" description:"required authentication"`
// HostRegexp is a regular expression that is tested against the 'Host'
// HTTP header field to find out if this service should be used.
HostRegexp string `long:"hostregexp" description:"Regular expression to match the host against"`
// PathRegexp is a regular expression that is tested against the path
// of the URL of a request to find out if this service should be used.
PathRegexp string `long:"pathregexp" description:"Regular expression to match the path of the URL against"`
// Headers is a map of strings that defines header name and values that
// should always be passed to the backend service, overwriting any
// headers with the same name that might have been set by the client
// request.
// If the value of a header field starts with the prefix "!file+hex:",
// the rest of the value is treated as a path to a file and the content
// of that file is sent to the backend with each call (hex encoded).
// If the value starts with the prefix "!file+base64:", the content of
// the file is sent encoded as base64.
Headers map[string]string `long:"headers" description:"Header fields to always pass to the service"`
// Timeout is an optional value that indicates in how many seconds the
// service's caveat should time out relative to the time of creation. So
// if a value of 100 is set, then the timeout will be 100 seconds
// after creation of the L402.
Timeout int64 `long:"timeout" description:"An integer value that indicates the number of seconds until the service access expires"`
// Capabilities is the list of capabilities authorized for the service
// at the base tier.
Capabilities string `long:"capabilities" description:"A comma-separated list of the service capabilities authorized for the base tier"`
// Constraints is the set of constraints that will take form of caveats.
// They'll be enforced for a service at the base tier. The key should
// correspond to the caveat's condition.
Constraints map[string]string `long:"constraints" description:"The service constraints to enforce at the base tier"`
// Price is the custom L402 value in satoshis to be used for the
// service's endpoint.
Price int64 `long:"price" description:"Static L402 value in satoshis to be used for this service"`
// DynamicPrice holds the config options needed for initialising
// the pricer if a gPRC server is to be used for price data.
DynamicPrice pricer.Config `long:"dynamicprice" description:"Configuration for connecting to the gRPC server to use for the pricer backend"`
// AuthWhitelistPaths is an optional list of regular expressions that
// are matched against the path of the URL of a request. If the request
// URL matches any of those regular expressions, the call is treated as
// if Auth was set to "off". This allows certain RPC methods to not
// require an L402 token. E.g. the path for a gRPC call looks like this:
// /package_name.ServiceName/MethodName
AuthWhitelistPaths []string `long:"authwhitelistpaths" description:"List of regular expressions for paths that don't require authentication'"`
// AuthSkipInvoiceCreationPaths is an optional list of regular
// expressions that are matched against the path of the URL of a
// request. If the request URL matches any of those regular
// expressions, the call will not try to create an invoice for the
// request, but still try to do the l402 authentication.
AuthSkipInvoiceCreationPaths []string `long:"authskipinvoicecreationpaths" description:"List of regular expressions for paths that will skip invoice creation'"`
// RateLimits is an optional list of rate-limiting rules for this
// service. Each rule specifies a path pattern and rate limit
// parameters. All matching rules are evaluated; if any rule denies
// the request, it is rejected.
RateLimits []*RateLimitConfig `long:"ratelimits" description:"List of rate limiting rules for this service"`
// contains filtered or unexported fields
}
Service generically specifies configuration data for backend services to the Aperture proxy.
func (*Service) AuthRequired ¶
AuthRequired determines the auth level required for a given request.
func (*Service) ResourceName ¶
ResourceName returns the string to be used to identify which resource a macaroon has access to. If DynamicPrice Enabled option is set to true then the service has further restrictions per resource and so the name will include both the service name and the specific resource name. Otherwise authorisation is only restricted by service name.
Source Files