mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-30 08:51:26 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
06d4a80bc32da0c78b1ece47878f6fd60027366e
opencloud/services/proxy
History
Ralf Haferkamp ee974afebf [full-ci] Introduce TLS Settings for go-micro based grpc services and clients (#4901) 
* Introduce TLS Settings for go-micro based grpc services and clients

TLS for the services can be configure by setting the OCIS_MICRO_GRPC_TLS_ENABLED"
"OCIS_MICRO_GRPC_TLS_CERTIFICATE" and "OCIS_MICRO_GRPC_TLS_KEY"
enviroment variables.

TLS for the clients can configured by setting the "OCIS_MICRO_GRPC_CLIENT_TLS_MODE"
and "OCIS_MICRO_GRPC_CLIENT_TLS_CACERT" variables.

By default TLS is disabled.

Co-authored-by: Martin <github@diemattels.at>

* Unify TLS configuration for all grpc services

All grpc service (whether they're based on reva) or go-micro use the
same set of config vars now.

TLS for the services can be configure by setting the OCIS_GRPC_TLS_ENABLED,
OCIS_GRPC_TLS_CERTIFICATE and OCIS_GRPC_TLS_KEY enviroment variables.

TLS for the clients can configured by setting the OCIS_GRPC_CLIENT_TLS_MODE
and OCIS_MICRO_GRPC_CLIENT_TLS_CACERT variables.

There are no individual per service config vars currently. If really
needed, per service tls configurations can be specified via config file.

Co-authored-by: Martin <github@diemattels.at>

Co-authored-by: Martin <github@diemattels.at>
2022-11-03 10:17:08 +01:00
..
cmd/proxy
refactor extensions -> services
2022-06-27 14:05:36 +02:00
docker
rename folder extensions -> services
2022-06-27 14:05:36 +02:00
pkg
[full-ci] Introduce TLS Settings for go-micro based grpc services and clients (#4901)
2022-11-03 10:17:08 +01:00
.dockerignore
rename folder extensions -> services
2022-06-27 14:05:36 +02:00
Makefile
rename folder extensions -> services
2022-06-27 14:05:36 +02:00
README.md
Update services/proxy/README.md
2022-10-27 12:56:06 +02:00

README.md

Proxy Service

The proxy service is an API-Gateway for the ownCloud Infinite Scale microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limitting or intrusion prevention are not included in the proxy service and must be setup in front like with an external reverse proxy.

The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers.

Authentication

The following request authentication schemes are implemented:

  • Basic Auth (Only use in development, never in production setups!)
  • OpenID Connect
  • Signed URL
  • Public Share Token

Recommendations for Production Deployments

In a production deployment, you want to have basic authentication (PROXY_ENABLE_BASIC_AUTH) disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall.

Reference in New Issue View Git Blame Copy Permalink