mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-02-24 19:16:54 -05:00

Files

Jörn Friedrich Dreyer 474c4b848d upgrade to go1.20 and auto set go mem limit (#5732 )

* upgrade to go1.19 and set go mem limit

* create ocis-pkg memlimit package

* use std automemlimit import

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* import automemlimit in every ocis service, drop ocis-pkg/memlimit package

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* bump go to 1.20

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* drop unused config options and env vars

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* update all version numbers, add doc

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* fix lint

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* update bingo and mockery

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* bump golangci-lint

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* fix selector test

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

* Update changelog/unreleased/enhancement-memlimit.md

Co-authored-by: kobergj <juliankoberg@googlemail.com>

---------

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
Co-authored-by: Willy Kloucek <wkloucek@owncloud.com>
Co-authored-by: kobergj <juliankoberg@googlemail.com>

2023-03-20 17:22:02 +01:00

cmd/proxy

refactor extensions -> services

2022-06-27 14:05:36 +02:00

docker

rename folder extensions -> services

2022-06-27 14:05:36 +02:00

pkg

upgrade to go1.20 and auto set go mem limit (#5732 )

2023-03-20 17:22:02 +01:00

.dockerignore

rename folder extensions -> services

2022-06-27 14:05:36 +02:00

Makefile

rename folder extensions -> services

2022-06-27 14:05:36 +02:00

README.md

update quota text

2023-02-23 10:19:07 +01:00

README.md

Proxy Service

The proxy service is an API-Gateway for the ownCloud Infinite Scale microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limitting or intrusion prevention are not included in the proxy service and must be setup in front like with an external reverse proxy.

The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers.

Authentication

The following request authentication schemes are implemented:

Basic Auth (Only use in development, never in production setups!)
OpenID Connect
Signed URL
Public Share Token

Automatic Quota Assignments

It is possible to automatically assign a specific quota to new users depending on their role. To do this, you need to configure a mapping between roles defined by their ID and the quota in bytes. The assignment can only be done via a yaml configuration and not via environment variables. See the following proxy.yaml config snippet for a configuration example.

role_quotas:
    <role ID1>: <quota1>
    <role ID2>: <quota2>

Recommendations for Production Deployments

In a production deployment, you want to have basic authentication (PROXY_ENABLE_BASIC_AUTH) disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall.