Merge pull request #20 from HrachMD/token-in-logs

Token Logging
2026-05-30 03:44:06 +08:00 · 2026-05-08 13:53:08 +02:00
parent c549750e9d 3f6ee1799c
commit 783ffb27e1
4 changed files with 265 additions and 281 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/26
+++ b/26
@@ -0,0 +1,26 @@
+update:
+	cargo update --verbose
+
+features:
+	cargo features
+
+checkup:
+	cargo clippy --workspace --all-targets --all-features -- -D warnings
+	cargo check --workspace --all-targets --all-features
+	# cargo shear
+	# cargo machete
+	cargo audit
+
+fix:
+	cargo fix
+
+fix-all:
+	cargo fix --all
+	cargo clippy --workspace --all-targets --all-features --fix
+
+test:
+	cargo test --workspace --all-targets --all-features
+
+.PHONY: update features checkup fix fix-all test
+
+# -- ⚝ by Dave -- in NeoVim ⚝ --
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 ---

-# Aralez (Արալեզ),
+# Aralez (Արալեզ)

 ### **Reverse proxy built on top of Cloudflare's Pingora**

@@ -27,16 +27,16 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 - **Upstreams TLS detection** — Aralez will automatically detect if upstreams uses secure connection.
 - **Built in rate limiter** — Globar or route limit requests to upstreams.
 - **Authentication** — Supports Basic Auth, API tokens, and JWT verification.
-    - **Basic Auth**
-    - **API Key** via `x-api-key` header
-    - **JWT Auth**, with tokens issued by Aralez itself via `/jwt` API
-    - **Forward Auth**, Sends requests to an authentication server.
+  - **Basic Auth**
+  - **API Key** via `x-api-key` header
+  - **JWT Auth**, with tokens issued by Aralez itself via `/jwt` API
+  - **Forward Auth**, Sends requests to an authentication server.
 - **Load Balancing** Round-robin, health checks, optional sticky sessions.
 - **Built in file server** — Build in minimalistic file server for serving static files, should be added as upstreams for public access.
 - **Upstream Providers:**
-    - `file` Upstreams are declared in config file.
-    - `consul` Upstreams are dynamically updated from Hashicorp Consul.
-    - `kubernetes` Upstreams are dynamically updated from kubernetes api server.
+  - `file` Upstreams are declared in config file.
+  - `consul` Upstreams are dynamically updated from Hashicorp Consul.
+  - `kubernetes` Upstreams are dynamically updated from kubernetes api server.
 - **Automatic WebSocket Support:** WS connection upgrades are handled automatically.
 - **Automatic gRPC Support:** gRPC detected and handled automatically.
 - **Header Injection:** Global and per-route server/client headers injection.
@@ -92,7 +92,7 @@ File names:
 | `aralez-x86_64-compat-glibc.gz` | Dynamic Linux x86_64 binary, compatible with old pre Haswell CPUs        |
 | `aralez-aarch64-musl.gz`        | Static Linux ARM64 binary, without any system dependency                 |
 | `aralez-aarch64-glibc.gz`       | Dynamic Linux ARM64 binary, with minimal system dependencies             |
-| `sadoyan/aralez`                | Docker image on Debian 13 slim (https://hub.docker.com/r/sadoyan/aralez) |
+| `sadoyan/aralez`                | Docker image on Debian 13 slim (<https://hub.docker.com/r/sadoyan/aralez>) |

 **Via docker**

@@ -210,9 +210,9 @@ myhost.mydomain.com:
 - All upstreams will receive custom headers : `X-Forwarded-Proto:https` and `X-Forwarded-Port:443`
 - Additionally, myhost.mydomain.com with path `/` will receive custom headers : `X-Another-Header:Hohohohoho` and `X-Something-Else:Foobar`
 - Requests to each hosted domains will be limited to 10 requests per second per virtualhost.
-    - Requests limits are calculated per requester ip plus requested virtualhost.
-    - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
-    - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
+  - Requests limits are calculated per requester ip plus requested virtualhost.
+  - If the requester exceeds the limit it will receive `429 Too Many Requests` error.
+  - Optional. Rate limiter will be disabled if the parameter is entirely removed from config.
 - Requests to `myhost.mydomain.com/` will be limited to 20 requests per second.
 - Requests to `myhost.mydomain.com/` will be proxied to `127.0.0.1` and `127.0.0.2`.
 - Plain HTTP to `myhost.mydomain.com/foo` will get 301 redirect to configured TLS port of Aralez.
@@ -220,11 +220,14 @@ myhost.mydomain.com:
 - Requests to `myhost.mydomain.com/foo` will be proxied to `127.0.0.4` and `127.0.0.5`.
 - Requests to `myhost.mydomain.com/.well-known/acme-challenge` will be proxied to `127.0.0.1:8001`, but healthcheks are disabled.
 - SSL/TLS for upstreams is detected automatically, no need to set any config parameter.
-    - Assuming the `127.0.0.5:8443` is SSL protected. The inner traffic will use TLS.
-    - Self-signed certificates are silently accepted.
+  - Assuming the `127.0.0.5:8443` is SSL protected. The inner traffic will use TLS.
+  - Self-signed certificates are silently accepted.
 - Global headers (CORS for this case) will be injected to all upstreams.
 - Additional headers will be injected into the request for `myhost.mydomain.com`.
 - You can choose any path, deep nested paths are supported, the best match chosen.
+- All requests to servers will require JWT token authentication (You can comment out the authorization to disable it),
+  - Firs parameter specifies the mechanism of authorisation `jwt`
+  - Second is the secret key for validating `jwt` tokens

 ---

@@ -266,10 +269,10 @@ curl -XPOST --data-binary @./etc/upstreams.txt 127.0.0.1:3000/conf?key=${MASTERK
 - `apikey` : Authentication via `x-api-key` header, which should match the value in config.
 - `jwt`: JWT authentication implemented via `araleztoken=` url parameter. `/some/url?araleztoken=TOKEN`
 - `jwt`: JWT authentication implemented via `Authorization: Bearer <token>` header.
-    - To obtain JWT a token, you should send **generate** request to built in api server's `/jwt` endpoint.
-    - `master_key`: should match configured `masterkey` in `main.yaml` and `upstreams.yaml`.
-    - `owner` : Just a placeholder, can be anything.
-    - `valid` : Time in minutes during which the generated token will be valid.
+  - To obtain JWT a token, you should send **generate** request to built in api server's `/jwt` endpoint.
+  - `master_key`: should match configured `masterkey` in `main.yaml` and `upstreams.yaml`.
+  - `owner` : Just a placeholder, can be anything.
+  - `valid` : Time in minutes during which the generated token will be valid.

 **Example JWT token generation request**

@@ -395,16 +398,16 @@ curl  -u username:password -H 'Host: myip.mydomain.com' http://127.0.0.1:6193/

 ```
 Summary:
-  Success rate:	100.00%
-  Total:	600.0027 secs
-  Slowest:	0.2138 secs
-  Fastest:	0.0002 secs
-  Average:	0.0023 secs
-  Requests/sec:	129777.3838
+  Success rate: 100.00%
+  Total: 600.0027 secs
+  Slowest: 0.2138 secs
+  Fastest: 0.0002 secs
+  Average: 0.0023 secs
+  Requests/sec: 129777.3838

-  Total data:	0 B
-  Size/request:	0 B
-  Size/sec:	0 B
+  Total data: 0 B
+  Size/request: 0 B
+  Size/sec: 0 B

 Response time histogram:
  0.000 [1]        |
@@ -432,8 +435,8 @@ Response time distribution:


 Details (average, fastest, slowest):
-  DNS+dialup:	0.0161 secs, 0.0002 secs, 0.0316 secs
-  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0000 secs
+  DNS+dialup: 0.0161 secs, 0.0002 secs, 0.0316 secs
+  DNS-lookup: 0.0000 secs, 0.0000 secs, 0.0000 secs

 Status code distribution:
  [200] 77866624 responses
@@ -451,16 +454,16 @@ Error distribution:

 ```
 Summary:
-  Success rate:	100.00%
-  Total:	600.0021 secs
-  Slowest:	0.2182 secs
-  Fastest:	0.0002 secs
-  Average:	0.0024 secs
-  Requests/sec:	123870.5820
+  Success rate: 100.00%
+  Total: 600.0021 secs
+  Slowest: 0.2182 secs
+  Fastest: 0.0002 secs
+  Average: 0.0024 secs
+  Requests/sec: 123870.5820

-  Total data:	0 B
-  Size/request:	0 B
-  Size/sec:	0 B
+  Total data: 0 B
+  Size/request: 0 B
+  Size/sec: 0 B

 Response time histogram:
  0.000 [1]        |
@@ -488,8 +491,8 @@ Response time distribution:


 Details (average, fastest, slowest):
-  DNS+dialup:	0.0066 secs, 0.0002 secs, 0.0210 secs
-  DNS-lookup:	0.0000 secs, 0.0000 secs, 0.0000 secs
+  DNS+dialup: 0.0066 secs, 0.0002 secs, 0.0210 secs
+  DNS-lookup: 0.0000 secs, 0.0000 secs, 0.0000 secs

 Status code distribution:
  [200] 74322377 responses
--- a/src/web/webserver.rs
+++ b/src/web/webserver.rs
@@ -15,7 +15,7 @@ use axum::{Json, Router};
 use futures::channel::mpsc::Sender;
 use futures::SinkExt;
 use jsonwebtoken::{encode, EncodingKey, Header};
-use log::{error, info, warn};
+use log::{debug, error, info, warn};
 use prometheus::{gather, Encoder, TextEncoder};
 use serde::Serialize;
 use std::collections::HashMap;
@@ -49,7 +49,7 @@ pub async fn run_server(config: &APIUpstreamProvider, mut to_return: Sender<Conf
        cert_creds: credsfile,
        certs_dir: config.certs_dir.clone(),
        config_sender: to_return.clone(),
-        config_api_enabled: config.config_api_enabled.clone(),
+        config_api_enabled: config.config_api_enabled,
        current_upstreams: upstreams_curr,
        full_upstreams: upstreams_full,
    };
@@ -136,7 +136,7 @@ async fn jwt_gen(State(state): State<AppState>, Json(payload): Json<Claims>) ->
        match encode(&Header::default(), &claim, &EncodingKey::from_secret(payload.master_key.as_ref())) {
            Ok(t) => {
                let tok = OutToken { token: t };
-                info!("Generating token: {:?}", tok.token);
+                debug!("Generating token: {:?}", tok.token);
                (StatusCode::CREATED, Json(tok))
            }
            Err(e) => {
@@ -283,3 +283,5 @@ fn key_authorization(headers: &HeaderMap, params: &HashMap<String, String>, mast
    }
    false
 }
+
+// -- ⚝ by Dave -- in NeoVim ⚝ --