diff --git a/Cargo.lock b/Cargo.lock index 04cda8a..c17dec5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -127,7 +127,7 @@ checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" [[package]] name = "aralez" -version = "0.92.10" +version = "0.92.9" dependencies = [ "ahash", "arc-swap", diff --git a/Cargo.toml b/Cargo.toml index b1b8503..dc00f7f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,10 +1,11 @@ [package] name = "aralez" -version = "0.92.10" +version = "0.92.9" edition = "2021" license = "Apache-2.0" description = "Reverse proxy built on top of Cloudflare's Pingora" exclude = ["etc/*"] +repository = "https://github.com/sadoyan/aralez" [profile.release] opt-level = 3 diff --git a/README.md b/README.md index cefd48a..e3664c8 100644 --- a/README.md +++ b/README.md @@ -9,13 +9,23 @@ Aralez is a high-performance Rust reverse proxy with zero-configuration automatic protocol handling, TLS, and upstream management, featuring Consul and Kubernetes integration for dynamic pod discovery and health-checked routing, acting as a lightweight ingress-style proxy. + --- What Aralez means ? **Aralez = Արալեզ** Named after the legendary Armenian guardian spirit, winged dog-like creature, that descend upon fallen heroes to lick their wounds and resurrect them. Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers world-class performance, security and scalability — right out of the box. -[![Buy Me A Coffee](https://img.shields.io/badge/☕-Buy%20me%20a%20coffee-orange)](https://www.buymeacoffee.com/sadoyan) +--- + +## Links + +- [**Documentation**](https://aralez.rs) : The manual you should read +- [**Downloads**](https://github.com/sadoyan/aralez/releases) : Binary downloads +- [**Issues**](https://github.com/sadoyan/aralez/issues) : Issues and requests +- [**Crates**](https://crates.io/crates/aralez) : The Rust crate registry +- [**DockerHUB**](https://hub.docker.com/r/sadoyan/aralez) : DockerHUB official repository +- [**GitHUB Packages**](https://github.com/sadoyan/aralez/pkgs/container/aralez) : GitHUB ghcr.io images --- @@ -557,10 +567,3 @@ The results show requests per second performed by Load balancer. You can see 3 b 1. Requests via http1.1 to plain text endpoint. 2. Requests to via http2 to SSL endpoint. 3. Mixed workload with plain http1.1 and htt2 SSL. - -## Links - -- [**Documentation**](https://aralez.rs) : The manual you should read -- [**Downloads**](https://github.com/sadoyan/aralez/releases) : Binary downloads -- [**Issues**](https://github.com/sadoyan/aralez/issues) : Issues and requests - diff --git a/etc/main.yaml b/etc/main.yaml index e7bd3e1..5310da2 100644 --- a/etc/main.yaml +++ b/etc/main.yaml @@ -2,22 +2,22 @@ threads: 12 # Number of daemon threads default setting #runuser: pastor # Username for running aralez after dropping root privileges, requires program to start as root #rungroup: pastor # Group for running aralez after dropping root privileges, requires program to start as root -daemon: false # Run in background +#daemon: false # Run in background upstream_keepalive_pool_size: 500 # Pool size for upstream keepalive connections -pid_file: /tmp/aralez.pid # Path to PID file -error_log: /tmp/aralez_err.log # Path to error log +#pid_file: /tmp/aralez.pid # Path to PID file +#error_log: /tmp/aralez_err.log # Path to error log upgrade_sock: /tmp/aralez.sock # Path to socket file config_api_enabled: true # Boolean to enable/disable remote config push capability. -config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location +config_address: 0.0.0.0+3000 # HTTP API address for pushing upstreams.yaml from remote location proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address proxy_configs: /opt/Rust/Projects/asyncweb/etc # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key. proxy_tls_grade: high # Grade of TLS suite for proxy (high, medium, unsafe), matching grades of Qualys SSL Labs upstreams_conf: /opt/Rust/Projects/asyncweb/etc/upstreams.yaml # the location of upstreams file -#file_server_folder: /opt/storage # Optional, local folder to serve -#file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access. +file_server_folder: /tmp/gazan # Optional, local folder to serve +file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access. log_level: info # info, warn, error, debug, trace, off -log_file: /tmp/aralez.log # Optional, the location of log file. If this entry does not exist logs will be emitted to stdout. +#log_file: /tmp/aralez.log # Optional, the location of log file. If this entry does not exist logs will be emitted to stdout. hc_method: HEAD # Healthcheck method (HEAD, GET, POST are supported) UPPERCASE hc_interval: 2 #Interval for health checks in seconds #master_key: 910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774 # Mater key for working with API server and JWT Secret diff --git a/etc/upstreams.yaml b/etc/upstreams.yaml index 42698a6..b6f5197 100644 --- a/etc/upstreams.yaml +++ b/etc/upstreams.yaml @@ -1,49 +1,47 @@ # The file under watch and hot reload, changes are applied immediately, no need to restart or reload. provider: "file" # "file" "consul" "kubernetes" -sticky_sessions: 8600 +sticky_sessions: 172000 to_https: false -rate_limit: 300 -x4xx_limit: 200 -server_headers: - - "X-Forwarded-Proto:https" - - "X-Forwarded-Port:443" -client_headers: - - "Access-Control-Allow-Origin:*" - - "Access-Control-Allow-Methods:POST, GET, OPTIONS" - - "Access-Control-Max-Age:86400" +rate_limit: 500000 +x4xx_limit: 100000 +#server_headers: +# - "Y-Global-Something: Yes this is something" +#client_headers: +# - "Access-Control-Allow-Origin:*" +# - "Access-Control-Allow-Methods:POST, GET, OPTIONS" +# - "Access-Control-Max-Age:86400" +# - "Strict-Transport-Security:max-age=31536000; includeSubDomains; preload" #authorization: -# type: "jwt" -# creds: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774" # type: "basic" -# creds: "username:Pa$$w0rd" -# type: "apikey" -# creds: "5ecbf799-1343-4e94-a9b5-e278af5cd313-56b45249-1839-4008-a450-a60dc76d2bae" +# data: "root:toor" +# type: "jwt" +# data: "910517d9-f9a1-48de-8826-dbadacbd84af-cb6f830e-ab16-47ec-9d8f-0090de732774" +# type: "apikey" +# data: "5ecbf799-1343-4e94-a9b5-e278af5cd313-56b45249-1839-4008-a450-a60dc76d2bae" consul: servers: - - "http://192.168.1.199:8500" - - "http://192.168.1.200:8500" - - "http://192.168.1.201:8500" + - "http://consul1:8500" services: # hostname: The hostname to access the proxy server, upstream : The real service name in Consul database. - - hostname: "webapi-service" - upstream: "webapi-service-health" + - hostname: "nconsul" + upstream: "nginx-consul-NginX-health" path: "/one" client_headers: - "X-Some-Thing:Yaaaaaaaaaaaaaaa" - "X-Proxy-From:Aralez" rate_limit: 1 to_https: false - - hostname: "webapi-service" - upstream: "webapi-service-health" + - hostname: "nconsul" + upstream: "nginx-consul-NginX-health" path: "/" token: "8e2db809-845b-45e1-8b47-2c8356a09da0-a4370955-18c2-4d6e-a8f8-ffcc0b47be81" # Consul server access token, If Consul auth is enabled kubernetes: servers: - - "192.168.1.55:443" #For testing only, overrides with KUBERNETES_SERVICE_HOST : KUBERNETES_SERVICE_PORT_HTTPS env variables. + - "172.16.0.11:5443" # Gets KUBERNETES_SERVICE_HOST : KUBERNETES_SERVICE_PORT_HTTPS env variables. services: - - hostname: "webapi-service" + - hostname: "api-service-v2" + upstream: "api-service-v2" path: "/" - upstream: "webapi-service" - - hostname: "webapi-service" + - hostname: "api-service-v2" upstream: "console-service" path: "/one" client_headers: @@ -51,71 +49,146 @@ kubernetes: - "X-Proxy-From:Aralez" rate_limit: 100 to_https: false - - hostname: "webapi-service" - upstream: "rambul-service" + - hostname: "api-service-v2" + upstream: "feed-fanout-service" path: "/two" - hostname: "websocket-service" upstream: "websocket-service" path: "/" - tokenpath: "/path/to/kubetoken.txt" #If not set, will default to /var/run/secrets/kubernetes.io/serviceaccount/token + tokenpath: "/opt/Rust/Projects/asyncweb/etc/kubetoken.txt" # Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token upstreams: - myip.mydomain.com: + myip.netangels.net: paths: "/": - rate_limit: 200 - x4xx_limit: 100 - to_https: false + # rate_limit: 50 + # x4xx_limit: 100 + # to_https: false + # authorization: + # type: "basic" + # data: "root:toor" + server_headers: + - "Y-Proxy-Server-Some:Yaaaaaaaaaaaaaaa" + - "Y-Proxy-Server-From:Aralez" + - "Y-Proxy-Server-Vers:Aralez v0.89" client_headers: - - "X-Proxy-From:Aralez" + - "X-Proxy-From:Aralezzzzzzzzzzz" + - "X-Hopar-From:Hopaaaaaaaaaaaar" + - "X-Proxy-Some:X-Proxy-Somebody" servers: - "127.0.0.1:8000" - "127.0.0.2:8000" - "127.0.0.3:8000" - "127.0.0.4:8000" - "127.0.0.5:8000" + - "192.168.1.1:8000" "/ping": - authorization: # Will be ignored if global authentication is enabled. - type: "basic" - creds: "admin:admin" to_https: false - server_headers: - - "X-Forwarded-Proto:https" - - "X-Forwarded-Port:443" client_headers: - "X-Some-Thing:Yaaaaaaaaaaaaaaa" - "X-Proxy-From:Aralez" servers: - "127.0.0.1:8000" - "127.0.0.2:8000" - "/draw": - servers: - - "192.168.1.1:8000" - polo.mydomain.com: - paths: - "/": + "/pong": to_https: false client_headers: - "X-Some-Thing:Yaaaaaaaaaaaaaaa" + - "X-Proxy-From:Aralez" servers: - - "192.168.1.1:8000" - - "192.168.1.10:8000" - "127.0.0.1:8000" - - "127.0.0.2:8000" - - "127.0.0.3:8000" - - "127.0.0.4:8000" - apt.mydomain.com: + "/secret": + authorization: + type: "forward" + data: "http://192.168.1.1:8899/admin/login" + #data: "https://netangels.net/admin/login" + servers: + - "192.168.1.10:8000" + netangels.net: paths: "/": + redirect_to: "https://www.netangels.net:6194" servers: - - "192.168.1.10:443" + - "192.168.1.1:80" + www.netangels.net: + paths: + "/": + to_https: true + servers: + - "192.168.1.1:80" + apt.netangels.net: + paths: + "/": + server_headers: + - "Y-Global-Something: Yes this is something" + client_headers: + - "Access-Control-Allow-Methods:POST, GET, OPTIONS" + rate_limit: 60 + x4xx_limit: 30 + #authorization: + # type: "jwt" + # data: "SOMETHING" + servers: + - "127.0.0.1:8000" + - "127.0.0.2:8000" "/.well-known/acme-challenge": healthcheck: false servers: - "127.0.0.1:8001" - rdr.mydomain.com: - paths: - "/": - redirect_to: "https://som.other.domain:6194" + "/400": + rate_limit: 4 + x4xx_limit: 2 + servers: + - "192.168.1.1:8899" + "/500": healthcheck: false servers: - - "127.0.0.1:8080" \ No newline at end of file + - "192.168.1.1:8899" + # grafanalocal: + # paths: + # "/": + # healthcheck: false + # servers: + # - "95.211.203.222:443" + # "/.well-known/acme-challenge": + # healthcheck: false + # servers: + # - "127.0.0.1:8001" + localpost: + paths: + "/": + to_https: true + servers: + - "127.0.0.1:9000" + # 192.168.177.2: + # paths: + # "/": + # servers: + # - "127.0.0.1:8000" + ara.matyan.org: + paths: + "/": + servers: + - "127.0.0.1:8000" + "/.well-known/acme-challenge": + healthcheck: false + servers: + - "127.0.0.1:3000" + aro.matyan.org: + paths: + "/": + servers: + - "127.0.0.1:8000" + "/.well-known/acme-challenge": + healthcheck: false + servers: + - "127.0.0.1:3000" + DEFAUwLT: + paths: + "/": + healthcheck: false + servers: + - "127.0.0.1:3000" + "/.well-known/acme-challenge": + healthcheck: false + servers: + - "127.0.0.1:3000"