Github/aralez
1
0
Fork 0
mirror of https://github.com/sadoyan/aralez.git synced 2026-04-30 23:08:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

http to https redirect cleanup

Browse Source
This commit is contained in:
Ara Sadoyan
2025-05-26 12:42:01 +02:00
parent d38588a299
commit 2a93bc2cd6
6 changed files with 35 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -123,7 +123,8 @@ A sample `upstreams.yaml` entry:
```yaml ```yaml
provider: "file" provider: "file"
stickysessions: false sticky_sessions: false
to_ssl: false
globals: globals:
headers: headers:
- "Access-Control-Allow-Origin:*" - "Access-Control-Allow-Origin:*"
@@ -135,6 +136,7 @@ globals:
myhost.mydomain.com: myhost.mydomain.com:
paths: paths:
"/": "/":
to_https: false
headers: headers:
- "X-Some-Thing:Yaaaaaaaaaaaaaaa" - "X-Some-Thing:Yaaaaaaaaaaaaaaa"
- "X-Proxy-From:Hopaaaaaaaaaaaar" - "X-Proxy-From:Hopaaaaaaaaaaaar"
@@ -142,6 +144,7 @@ myhost.mydomain.com:
- "127.0.0.1:8000" - "127.0.0.1:8000"
- "127.0.0.2:8000" - "127.0.0.2:8000"
"/foo": "/foo":
to_https: true
headers: headers:
- "X-Another-Header:Hohohohoho" - "X-Another-Header:Hohohohoho"
servers: servers:
@@ -151,15 +154,17 @@ myhost.mydomain.com:
**This means:** **This means:**
- Sticky sessions are disabled globally. This setting applies to all upstreams. - Sticky sessions are disabled globally. This setting applies to all upstreams. If enabled all requests will be 301 redirected to HTTPS.
- HTTP to HTTPS redirect disabled globally, but can be overridden by `to_https` setting per upstream.
- Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`. - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
- Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Gazan.
- Requests to `myhost.mydomain.com/foo` will be proxied to `127.0.0.4` and `127.0.0.5`. - Requests to `myhost.mydomain.com/foo` will be proxied to `127.0.0.4` and `127.0.0.5`.
- SSL/TLS for upstreams is detected automatically, no need to set any config parameter. - SSL/TLS for upstreams is detected automatically, no need to set any config parameter.
- Assuming the `127.0.0.5:8443` is SSL protected. The inner traffic will use TLS. - Assuming the `127.0.0.5:8443` is SSL protected. The inner traffic will use TLS.
- Self signed certificates are silently accepted. - Self signed certificates are silently accepted.
- Global headers (CORS for this case) will be injected to all upstreams - Global headers (CORS for this case) will be injected to all upstreams
- Additional headers will be injected into the request for `myhost.mydomain.com`. - Additional headers will be injected into the request for `myhost.mydomain.com`.
- You can choose any path, deep nested paths are supported, the best match is chosen. - You can choose any path, deep nested paths are supported, the best match chosen.
- All requests to servers will require JWT token authentication (You can comment out the authorization to disable it), - All requests to servers will require JWT token authentication (You can comment out the authorization to disable it),
- Firs parameter specifies the mechanism of authorisation `jwt` - Firs parameter specifies the mechanism of authorisation `jwt`
- Second is the secret key for validating `jwt` tokens - Second is the secret key for validating `jwt` tokens

8
src/utils/parceyaml.rs
View File

@@ -13,7 +13,8 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
consul: None, consul: None,
typecfg: "".to_string(), typecfg: "".to_string(),
extraparams: Extraparams { extraparams: Extraparams {
stickysessions: false, sticky_sessions: false,
to_ssl: None,
authentication: DashMap::new(), authentication: DashMap::new(),
}, },
}; };
@@ -56,7 +57,10 @@ pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
} }
global_headers.insert("/".to_string(), hl); global_headers.insert("/".to_string(), hl);
toreturn.headers.insert("GLOBAL_HEADERS".to_string(), global_headers); toreturn.headers.insert("GLOBAL_HEADERS".to_string(), global_headers);
toreturn.extraparams.stickysessions = parsed.stickysessions;
toreturn.extraparams.sticky_sessions = parsed.sticky_sessions;
toreturn.extraparams.to_ssl = parsed.to_ssl;
let cfg = DashMap::new(); let cfg = DashMap::new();
if let Some(k) = globals.get("authorization") { if let Some(k) = globals.get("authorization") {
cfg.insert("authorization".to_string(), k.to_owned()); cfg.insert("authorization".to_string(), k.to_owned());

6
src/utils/structs.rs
View File

@@ -16,7 +16,8 @@ pub struct ServiceMapping {
#[derive(Clone, Debug)] #[derive(Clone, Debug)]
pub struct Extraparams { pub struct Extraparams {
pub stickysessions: bool, pub sticky_sessions: bool,
pub to_ssl: Option<bool>,
pub authentication: DashMap<String, Vec<String>>, pub authentication: DashMap<String, Vec<String>>,
} }
@@ -29,7 +30,8 @@ pub struct Consul {
#[derive(Debug, Serialize, Deserialize)] #[derive(Debug, Serialize, Deserialize)]
pub struct Config { pub struct Config {
pub provider: String, pub provider: String,
pub stickysessions: bool, pub sticky_sessions: bool,
pub to_ssl: Option<bool>,
pub upstreams: Option<HashMap<String, HostConfig>>, pub upstreams: Option<HashMap<String, HostConfig>>,
pub globals: Option<HashMap<String, Vec<String>>>, pub globals: Option<HashMap<String, Vec<String>>>,
pub consul: Option<Consul>, pub consul: Option<Consul>,

3
src/web/bgservice.rs
View File

@@ -56,7 +56,8 @@ impl BackgroundService for LB {
clone_dashmap_into(&ss.upstreams, &self.ump_upst); clone_dashmap_into(&ss.upstreams, &self.ump_upst);
let current = self.extraparams.load_full(); let current = self.extraparams.load_full();
let mut new = (*current).clone(); let mut new = (*current).clone();
new.stickysessions = ss.extraparams.stickysessions; new.sticky_sessions = ss.extraparams.sticky_sessions;
new.to_ssl = ss.extraparams.to_ssl;
new.authentication = ss.extraparams.authentication.clone(); new.authentication = ss.extraparams.authentication.clone();
self.extraparams.store(Arc::new(new)); self.extraparams.store(Arc::new(new));
self.headers.clear(); self.headers.clear();

42
src/web/proxyhttp.rs
View File

@@ -47,22 +47,17 @@ impl ProxyHttp for LB {
return Ok(true); return Ok(true);
} }
}; };
// if session.req_header().uri.path().starts_with("/denied") {
// let _ = session.respond_error(403).await;
// warn!("Forbidden: {:?}, {}", session.client_addr(), session.req_header().uri.path().to_string());
// return Ok(true);
// };
Ok(false) Ok(false)
} }
async fn upstream_peer(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<Box<HttpPeer>> { async fn upstream_peer(&self, session: &mut Session, ctx: &mut Self::CTX) -> Result<Box<HttpPeer>> {
let host_name = return_header_host(&session); let host_name = return_header_host(&session);
match host_name { match host_name {
Some(hostname) => { Some(hostname) => {
// session.req_header_mut().headers.insert("X-Host-Name", host.to_string().parse().unwrap()); // session.req_header_mut().headers.insert("X-Host-Name", host.to_string().parse().unwrap());
let mut backend_id = None; let mut backend_id = None;
if self.extraparams.load().stickysessions {
if self.extraparams.load().sticky_sessions {
if let Some(cookies) = session.req_header().headers.get("cookie") { if let Some(cookies) = session.req_header().headers.get("cookie") {
if let Ok(cookie_str) = cookies.to_str() { if let Ok(cookie_str) = cookies.to_str() {
for cookie in cookie_str.split(';') { for cookie in cookie_str.split(';') {
@@ -91,33 +86,22 @@ impl ProxyHttp for LB {
peer.options.verify_hostname = false; peer.options.verify_hostname = false;
} }
// println!("{}, {}, alpn {}, h2 {:?}, to_https {}", hostname, address.as_str(), peer.options.alpn, is_h2, _to_https); // println!("{}, {}, alpn {}, h2 {:?}, to_https {}", hostname, address.as_str(), peer.options.alpn, is_h2, _to_https);
// let mut gogo = false; if self.extraparams.load().to_ssl.unwrap_or(false) || to_https {
// let mut location = String::new();
if to_https {
if let Some(stream) = session.stream() { if let Some(stream) = session.stream() {
if stream.get_ssl().is_none() { if stream.get_ssl().is_none() {
if let Some(addr) = session.server_addr() { if let Some(addr) = session.server_addr() {
if let Some((host, _)) = addr.to_string().split_once(':') { if let Some((host, _)) = addr.to_string().split_once(':') {
let uri = session.req_header().uri.path_and_query().map_or("/", |pq| pq.as_str()); let uri = session.req_header().uri.path_and_query().map_or("/", |pq| pq.as_str());
let port = self.config.proxy_port_tls.unwrap_or(443); let port = self.config.proxy_port_tls.unwrap_or(443);
// let location = format!("https://{}:{}{}", host, port, uri); ctx.to_https = true;
// println!("Redirect: {} => {}", hostname, location); ctx.redirect_to = format!("https://{}:{}{}", host, port, uri);
// gogo = true;
_ctx.to_https = true;
_ctx.redirect_to = format!("https://{}:{}{}", host, port, uri);
} }
} }
} }
} }
} }
// if gogo { ctx.backend_id = format!("{}:{}:{}", address.clone(), port.clone(), ssl);
// println!("Redirect: {} => {}", hostname, location);
// let _ = session.respond_error(301).await;
// warn!("Forbidden: {:?}, {}", session.client_addr(), session.req_header().uri.path().to_string());
// }
_ctx.backend_id = format!("{}:{}:{}", address.clone(), port.clone(), ssl);
// println!("{:?}, {:?}", session.request_summary(), session.server_addr());
Ok(peer) Ok(peer)
} }
None => { None => {
@@ -153,20 +137,20 @@ impl ProxyHttp for LB {
Ok(()) Ok(())
} }
async fn response_filter(&self, session: &mut Session, _upstream_response: &mut ResponseHeader, _ctx: &mut Self::CTX) -> Result<()> { async fn response_filter(&self, session: &mut Session, _upstream_response: &mut ResponseHeader, ctx: &mut Self::CTX) -> Result<()> {
// _upstream_response.insert_header("X-Proxied-From", "Fooooooooooooooo").unwrap(); // _upstream_response.insert_header("X-Proxied-From", "Fooooooooooooooo").unwrap();
if self.extraparams.load().stickysessions { if self.extraparams.load().sticky_sessions {
let backend_id = _ctx.backend_id.clone(); let backend_id = ctx.backend_id.clone();
if let Some(bid) = self.ump_byid.get(&backend_id) { if let Some(bid) = self.ump_byid.get(&backend_id) {
// let _ = _upstream_response.insert_header("set-cookie", format!("backend {}", bid.0)); // let _ = _upstream_response.insert_header("set-cookie", format!("backend {}", bid.0));
let _ = _upstream_response.insert_header("set-cookie", format!("backend_id={}; Path=/; Max-Age=600; HttpOnly; SameSite=Lax", bid.0)); let _ = _upstream_response.insert_header("set-cookie", format!("backend_id={}; Path=/; Max-Age=600; HttpOnly; SameSite=Lax", bid.0));
} }
} }
if _ctx.to_https { if ctx.to_https {
// println!("{} => {}", _ctx.to_https, _ctx.redirect_to); // println!("{} => {}", ctx.to_https, ctx.redirect_to);
let mut redirect_response = ResponseHeader::build(StatusCode::MOVED_PERMANENTLY, None)?; let mut redirect_response = ResponseHeader::build(StatusCode::MOVED_PERMANENTLY, None)?;
redirect_response.insert_header("Location", _ctx.redirect_to.clone())?; redirect_response.insert_header("Location", ctx.redirect_to.clone())?;
redirect_response.insert_header("Content-Length", "0")?; redirect_response.insert_header("Content-Length", "0")?;
session.write_response_header(Box::new(redirect_response), false).await?; session.write_response_header(Box::new(redirect_response), false).await?;
// return Ok(()); // return Ok(());

3
src/web/start.rs
View File

@@ -23,7 +23,8 @@ pub fn run() {
let im_config = Arc::new(DashMap::new()); let im_config = Arc::new(DashMap::new());
let hh_config = Arc::new(DashMap::new()); let hh_config = Arc::new(DashMap::new());
let ec_config = Arc::new(ArcSwap::from_pointee(Extraparams { let ec_config = Arc::new(ArcSwap::from_pointee(Extraparams {
stickysessions: false, sticky_sessions: false,
to_ssl: None,
authentication: DashMap::new(), authentication: DashMap::new(),
})); }));