diff --git a/README.md b/README.md index 1bdcbc1..3e29a56 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,7 @@ It's designed to be straightforward and efficient, offering features, like: - Cross-Origin Resource Sharing (CORS) - Custom Headers - Backend Errors interceptor +- Logging - Support TLS - Block common exploits middleware - Patterns to detect SQL injection attempts @@ -57,10 +58,12 @@ It's designed to be straightforward and efficient, offering features, like: - Limit HTTP methods allowed for a particular route. ### Todo: - - - [ ] Distributed Rate Limiting for In-Memory client IP based across multiple instances using Redis + - [x] Support Load Balancing, round-robin algorithm + - [ ] Load Balancing Healthcheck, disable unavailable servers - [ ] Blocklist IP address middleware - + - [ ] Tracing + - [ ] Metrics + - [ ] Distributed Rate Limiting for In-Memory client IP based across multiple instances using Redis ---- diff --git a/docs/index.md b/docs/index.md index 8cc3cc9..f7c0c5b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -71,7 +71,7 @@ While it may work against different implementations, there are no guarantees abo We decided to publish this image as a simpler and more lightweight because of the following requirements: -- The original image is based on `Alpine` and requires additional tools, making it heavy. +- The original image is based on `Alpine`, making it heavy. - This image is written in Go. - `arm64` and `arm/v7` architectures are supported. - Docker in Swarm mode is supported. diff --git a/docs/install/docker.md b/docs/install/docker.md new file mode 100644 index 0000000..2823813 --- /dev/null +++ b/docs/install/docker.md @@ -0,0 +1,49 @@ +--- +title: Docker +layout: default +parent: Installation +nav_order: 4 +--- + +# Docker Installation + +Details about how to use Goma in Docker can be found on the hub.docker.com repo hosting the image: Goma. +We also have some cool examples with [Docker Compose template](https://github.com/jkaninda/goma-gateway/tree/main/examples) with built-in orchestration and scalability. + +## 1. Initialize configuration + +You can generate the configuration file using `config init --output /etc/goma/config.yml` command. + +The default configuration is automatically generated if any configuration file is not provided, and is available at `/etc/goma/goma.yml` + +```shell +docker run --rm --name goma-gateway \ + -v "${PWD}/config:/etc/goma/" \ + jkaninda/goma-gateway config init --output /etc/goma/config.yml +``` + +### 3. Start server with a custom config +```shell +docker run --rm --name goma-gateway \ + -v "${PWD}/config:/etc/goma/" \ + -p 8080:8080 \ + jkaninda/goma-gateway server --config /config/config.yml +``` +### 4. Healthcheck + +- Goma Gateway health check: `/health/live` +- Routes health check: `health/routes` + +### 5. Simple deployment in docker compose file + +```yaml +services: + goma-gateway: + image: jkaninda/goma-gateway + command: server + ports: + - "8080:8080" + - "8443:8443" + volumes: + - ./config:/etc/goma/ +``` \ No newline at end of file diff --git a/docs/install/index.md b/docs/install/index.md new file mode 100644 index 0000000..572cac4 --- /dev/null +++ b/docs/install/index.md @@ -0,0 +1,8 @@ +--- +title: Installation +layout: default +nav_order: 2 +has_children: true +--- + +## Installation \ No newline at end of file diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md new file mode 100644 index 0000000..bf53139 --- /dev/null +++ b/docs/install/kubernetes.md @@ -0,0 +1,227 @@ +--- +title: Kubernetes +layout: default +parent: Installation +nav_order: 4 +--- + +# Kubernetes Installation + + +Details about how to use Goma in Kubernetes can be found on the hub.docker.com repo hosting the image: Goma. +We also have some cool examples with [Kubernetes deployment template](https://github.com/jkaninda/goma-gateway/tree/main/examples) with built-in orchestration and scalability. + +## 1. Generate a configuration file + +You can generate the configuration file using `config init --output /etc/goma/config.yml` command. + +The default configuration is automatically generated if any configuration file is not provided, and is available at `/etc/goma/goma.yml` + +```shell +docker run --rm --name goma-gateway \ + -v "${PWD}/config:/etc/goma/" \ + jkaninda/goma-gateway config init --output /etc/goma/config.yml +``` + +## 2. Create ConfigMap + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: goma-config +data: + goma.yml: | + # Goma Gateway configurations + version: 0.1.7 + gateway: + # Proxy write timeout + writeTimeout: 15 + # Proxy read timeout + readTimeout: 15 + # Proxy idle timeout + idleTimeout: 30 + ## SSL Certificate file + sslCertFile: '' #cert.pem + ## SSL Private Key file + sslKeyFile: ''#key.pem + # Proxy rate limit, it's In-Memory IP based + rateLimit: 0 + accessLog: "/dev/Stdout" + errorLog: "/dev/stderr" + ## Enable, disable routes health check + disableHealthCheckStatus: false + ## Returns backend route healthcheck errors + disableRouteHealthCheckError: false + # Disable display routes on start + disableDisplayRouteOnStart: false + # disableKeepAlive allows enabling and disabling KeepALive server + disableKeepAlive: false + # Block common exploits | detect SQL injection, and simple XSS attempts + blockCommonExploits: false + # interceptErrors intercepts backend errors based on defined the status codes + interceptErrors: + - 405 + - 500 + # - 400 + # Proxy Global HTTP Cors + cors: + # Global routes cors for all routes + origins: + - http://localhost:8080 + - https://example.com + # Global routes cors headers for all routes + headers: + Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id' + Access-Control-Allow-Credentials: 'true' + Access-Control-Max-Age: 1728000 + ##### Define routes + routes: + # Example of a route | 1 + - name: Public # Name is optional + # host Domain/host based request routing + host: "" # Host is optional + path: /public + ## Rewrite a request path + # e.g rewrite: /store to / + rewrite: / + destination: https://example.com + # Limit HTTP methods allowed for this route + methods: [POST, PUT, GET] + #DisableHeaderXForward Disable X-forwarded header. + # [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ] + # It will not match the backend route, by default, it's disabled + disableHeaderXForward: false + # Internal health check + healthCheck: '' #/internal/health/ready + # Route Cors, global cors will be overridden by route + cors: + # Route Origins Cors, route will override global cors origins + origins: + - https://dev.example.com + - http://localhost:3000 + - https://example.com + # Route Cors headers, route will override global cors headers + headers: + Access-Control-Allow-Methods: 'GET' + Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id' + Access-Control-Allow-Credentials: 'true' + Access-Control-Max-Age: 1728000 + ##### Apply middlewares to the route + ## The name must be unique + ## List of middleware name + middlewares: + - api-forbidden-paths + # Example of a route | 2 + - name: Basic auth + path: /protected + rewrite: / + destination: https://example.com + methods: [] + healthCheck: + cors: {} + middlewares: + - api-forbidden-paths + - basic-auth + + #Defines proxy middlewares + # middleware name must be unique + middlewares: + # Enable Basic auth authorization based + - name: basic-auth + # Authentication types | jwt, basic, OAuth + type: basic + paths: + - /user + - /admin + - /account + rule: + username: admin + password: admin + #Enables JWT authorization based on the result of a request and continues the request. + - name: google-auth + # Authentication types | jwt, basic, OAuth + # jwt authorization based on the result of backend's response and continue the request when the client is authorized + type: jwt + # Paths to protect + paths: + - /protected-access + - /example-of-jwt + #- /* or wildcard path + rule: + # This is an example URL + url: https://www.googleapis.com/auth/userinfo.email + # Required headers, if not present in the request, the proxy will return 403 + requiredHeaders: + - Authorization + # You can also get headers from the authentication request result and inject them into the next request header or params. + # In case you want to get headers from the authentication service and inject them into the next request headers. + # Set the request variable to the given value after the authorization request completes. + # In case you want to get headers from the authentication service and inject them into the next request headers. + # Key is authentication request response header Key. Value is the next Request header Key. + headers: + userId: Auth-UserId + userCountryId: Auth-UserCountryId + # In case you want to get headers from the Authentication service and inject them to the next request params. + #Key is authentication request response header Key. Value is the next Request parameter Key. + params: + userCountryId: countryId + # The server will return 403 + - name: api-forbidden-paths + type: access + ## prevents access paths + paths: + - /swagger-ui/* + - /v2/swagger-ui/* + - /api-docs/* + - /internal/* + - /actuator/* +``` +## 3. Create Kubernetes deployment + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: goma-gateway +spec: + selector: + matchLabels: + app: goma-gateway + template: + metadata: + labels: + app: goma-gateway + spec: + containers: + - name: goma-gateway + image: jkaninda/goma-gateway + command: ["goma","server"] + resources: + limits: + memory: "128Mi" + cpu: "200m" + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /health/live + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 10 + readinessProbe: + httpGet: + path: /health/live + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 10 + volumeMounts: + - name: config + mountPath: /etc/goma/ + volumes: + - name: config + configMap: + name: goma-config +``` \ No newline at end of file diff --git a/docs/middleware.md b/docs/middleware.md deleted file mode 100644 index ab1aa39..0000000 --- a/docs/middleware.md +++ /dev/null @@ -1,233 +0,0 @@ ---- -title: Middleware -layout: default -nav_order: 4 ---- - - -## Middlewares - -Middleware is a function executed before (or after) the route callback. - -This is a great way to add API authentication checks, or to validate that the user has permission to access the route. - -With Goma you can create your middleware based on the type you want and apply it on your routes - -Goma Gateway supports : - -- Authentication middleware - - JWT `client authorization based on the result of a request` - - Basic-Auth - - OAuth -- Rate limiting middleware - - In-Memory client IP based -- Access middleware - -### BasicAuth middleware -The BasicAuth middleware grants access to route to authorized users only. - -### Configuration Options - -You don't need to hash your password (MD5, SHA1, or BCrypt), Goma gateway will handle it. - -You need just to provide the username and password - -Example of basic-auth middleware -```yaml -middlewares: - # Middleware name - - name: basic-auth - # Middleware type - type: basic - # Paths to apply middleware - paths: - - /user - - /admin - - /account - rule: - username: admin - password: admin -``` - -### JWT middleware - -As BasicAuth, JWT middleware grants also access to route to authorized users only. -It implements client authorization based on the result of a request. - -If the request returns a 200 response code, access is allowed. -If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the request is considered an error. - -It depends on an authentication service on the backend. - -It works as `ngx_http_auth_request_module` on Nginx -```conf -location /private/ { - auth_request /auth; - ... -} - -location = /auth { - proxy_pass ... - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - proxy_set_header X-Original-URI $request_uri; -} -``` - -You can also get headers from the authentication request result and inject them into the next request header or params. - -In case you want to get headers from the authentication service and inject them into the next request headers. - -Set the request variable to the given value after the authorization request completes. - -Key is authentication request response header Key. Value is the next Request header Key. - -```yaml - headers: - ## Key Authentication request header key and value is next request header key - userId: X-Auth-UserId - userCountryId: X-Auth-UserCountryId -``` -The second example, is in case you want to get headers from the authentication request and inject them into the next request parameters. -Key is authentication request response header Key. Value is the next Request parameter Key. - -See the example below. - -```yaml - # Key Authentication request header key and value is next request parameter key - params: - userId: userId - userCountryId: countryId -``` -Example of JWT middleware -```yaml -middlewares: - #Enables JWT authorization based on the result of a request and continues the request. - - name: google-auth - # jwt authorization based on the result of backend's response and continue the request when the client is authorized - type: jwt - # Paths to protect - paths: - - /protected-access - - /example-of-jwt - #- /* or wildcard path - rule: - # This is an example URL - url: https://www.googleapis.com/auth/userinfo.email - # Required headers, if not present in the request, the proxy will return 403 - requiredHeaders: - - Authorization - #Set the request variable to the given value after the authorization request completes. - # - # Add header to the next request from AuthRequest header, depending on your requirements - # Key is AuthRequest's response header Key, and value is Request's header Key - # In case you want to get headers from the authentication service and inject them into the next request header or parameters, - #Set the request variable to the given value after completing the authorization request. - # - # Add header to the next request from AuthRequest header, depending on your requirements - # Key is AuthRequest's response header Key, and value is next request header Key - # In case you want to get headers from the authentication service and inject them into the next request headers. - headers: - userId: X-Auth-UserId - userCountryId: X-Auth-UserCountryId - # In case you want to get headers from the Authentication service and inject them to the next request params. - params: - userCountryId: countryId -``` -### OAuth middleware - -Example of Google provider - -```yaml - - name: google-oauth - type: oauth - paths: - - /* - rule: - clientId: xxx - clientSecret: xxxx - # oauth provider google, gitlab, github, amazon, facebook, custom - provider: google # facebook, gitlab, github, amazon - redirectUrl: https://example.com/callback/protected - #RedirectPath is the PATH to redirect users after authentication, e.g: /my-protected-path/dashboard - redirectPath: /dashboard - scopes: - - https://www.googleapis.com/auth/userinfo.email - - https://www.googleapis.com/auth/userinfo.profile - state: randomStateString - jwtSecret: your-strong-jwt-secret | It's optional - -``` - -Example of Authentik provider - -```yaml - - name: oauth-authentik - type: oauth - paths: - - /protected - - /example-of-oauth - rule: - clientId: xxx - clientSecret: xxx - # oauth provider google, gitlab, github, amazon, facebook, custom - provider: custom - endpoint: - authUrl: https://authentik.example.com/application/o/authorize/ - tokenUrl: https://authentik.example.com/application/o/token/ - userInfoUrl: https://authentik.example.com/application/o/userinfo/ - redirectUrl: https://example.com/callback - #RedirectPath is the PATH to redirect users after authentication, e.g: /my-protected-path/dashboard - redirectPath: '' - #CookiePath e.g.: /my-protected-path or / || by default is applied on a route path - cookiePath: "/" - scopes: - - email - - openid - state: randomStateString - jwtSecret: your-strong-jwt-secret | It's optional - -``` -### Access middleware - -Access middleware prevents access to a route or specific route path. - -Example of access middleware -```yaml - # The server will return 403 - - name: api-forbidden-paths - type: access - ## prevents access paths - paths: - - /swagger-ui/* - - /v2/swagger-ui/* - - /api-docs/* - - /internal/* - - /actuator/* -``` -### RateLimit middleware - -The RateLimit middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is. - -Example of rateLimit middleware -```yaml - -``` - -### Apply middleware on the route - -```yaml - ##### Define routes - routes: - - name: Basic auth - path: /protected - rewrite: / - destination: 'https://example.com' - methods: [POST, PUT, GET] - healthCheck: - cors: {} - middlewares: - # Name of middleware - - basic-auth - - access -``` diff --git a/docs/middleware/access.md b/docs/middleware/access.md new file mode 100644 index 0000000..a74f757 --- /dev/null +++ b/docs/middleware/access.md @@ -0,0 +1,40 @@ +--- +title: Access +layout: default +parent: Middleware +nav_order: 2 +--- + + +# Access Middleware + +Access middleware prevents access to a route or specific route path. + +Example of access middleware + +```yaml + # The server will return 403 + - name: api-forbidden-paths + type: access + ## prevents access paths + paths: + - /swagger-ui/* + - /v2/swagger-ui/* + - /api-docs/* + - /internal/* + - /actuator/* +``` +### Apply access middleware on the route + +```yaml + routes: + - path: /protected + name: Basic auth + rewrite: / + destination: 'https://example.com' + methods: [POST, PUT, GET] + healthCheck: + cors: {} + middlewares: + - api-forbidden-paths +``` \ No newline at end of file diff --git a/docs/middleware/basic.md b/docs/middleware/basic.md new file mode 100644 index 0000000..efe3267 --- /dev/null +++ b/docs/middleware/basic.md @@ -0,0 +1,41 @@ +--- +title: Basic auth +layout: default +parent: Middleware +nav_order: 3 +--- + + +# Basic Auth Middleware + + +Access middleware prevents access to a route or specific route path. + +Example of access middleware + +```yaml + # The server will return 403 + - name: api-forbidden-paths + type: access + ## prevents access paths + paths: + - /swagger-ui/* + - /v2/swagger-ui/* + - /api-docs/* + - /internal/* + - /actuator/* +``` +### Apply access middleware on the route + +```yaml + routes: + - path: /protected + name: Basic auth + rewrite: / + destination: 'https://example.com' + methods: [POST, PUT, GET] + healthCheck: + cors: {} + middlewares: + - api-forbidden-paths +``` \ No newline at end of file diff --git a/docs/middleware/index.md b/docs/middleware/index.md new file mode 100644 index 0000000..4c32b14 --- /dev/null +++ b/docs/middleware/index.md @@ -0,0 +1,8 @@ +--- +title: Middleware +layout: default +nav_order: 4 +has_children: true +--- + +## Middleware \ No newline at end of file diff --git a/docs/middleware/intro.md b/docs/middleware/intro.md new file mode 100644 index 0000000..7519046 --- /dev/null +++ b/docs/middleware/intro.md @@ -0,0 +1,23 @@ +--- +title: Intro +layout: default +parent: Middleware +nav_order: 1 +--- +# Middlewares + +Middleware is a function executed before (or after) the route callback. + +This is a great way to add API authentication checks, or to validate that the user has permission to access the route. + +With Goma you can create your middleware based on the type you want and apply it on your routes + +Goma Gateway supports : + +- Authentication middleware + - JWT `client authorization based on the result of a request` + - Basic-Auth + - OAuth +- Rate limiting middleware + - In-Memory client IP based +- Access middleware \ No newline at end of file diff --git a/docs/middleware/jwt.md b/docs/middleware/jwt.md new file mode 100644 index 0000000..1f7ea8c --- /dev/null +++ b/docs/middleware/jwt.md @@ -0,0 +1,93 @@ +--- +title: JWT auth +layout: default +parent: Middleware +nav_order: 4 +--- + + +### JWT middleware + +As BasicAuth, JWT middleware grants also access to route to authorized users only. +It implements client authorization based on the result of a request. + +If the request returns a 200 response code, access is allowed. +If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the request is considered an error. + +It depends on an authentication service on the backend. + +It works as `ngx_http_auth_request_module` on Nginx +```conf +location /private/ { + auth_request /auth; + ... +} + +location = /auth { + proxy_pass ... + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; +} +``` + +You can also get headers from the authentication request result and inject them into the next request header or params. + +In case you want to get headers from the authentication service and inject them into the next request headers. + +Set the request variable to the given value after the authorization request completes. + +Key is authentication request response header Key. Value is the next Request header Key. + +```yaml + headers: + ## Key Authentication request header key and value is next request header key + userId: X-Auth-UserId + userCountryId: X-Auth-UserCountryId +``` +The second example, is in case you want to get headers from the authentication request and inject them into the next request parameters. +Key is authentication request response header Key. Value is the next Request parameter Key. + +See the example below. + +```yaml + # Key Authentication request header key and value is next request parameter key + params: + userId: userId + userCountryId: countryId +``` +Example of JWT middleware +```yaml +middlewares: + #Enables JWT authorization based on the result of a request and continues the request. + - name: google-auth + # jwt authorization based on the result of backend's response and continue the request when the client is authorized + type: jwt + # Paths to protect + paths: + - /protected-access + - /example-of-jwt + #- /* or wildcard path + rule: + # This is an example URL + url: https://www.example.com/auth/access + # Required headers, if not present in the request, the proxy will return 403 + requiredHeaders: + - Authorization + #Set the request variable to the given value after the authorization request completes. + # + # Add header to the next request from AuthRequest header, depending on your requirements + # Key is AuthRequest's response header Key, and value is Request's header Key + # In case you want to get headers from the authentication service and inject them into the next request header or parameters, + #Set the request variable to the given value after completing the authorization request. + # + # Add header to the next request from AuthRequest header, depending on your requirements + # Key is AuthRequest's response header Key, and value is next request header Key + # In case you want to get headers from the authentication service and inject them into the next request headers. + headers: + userId: X-Auth-UserId + userCountryId: X-Auth-UserCountryId + # In case you want to get headers from the Authentication service and inject them to the next request params. + params: + userCountryId: countryId +``` \ No newline at end of file diff --git a/docs/middleware/oauth.md b/docs/middleware/oauth.md new file mode 100644 index 0000000..84d00bb --- /dev/null +++ b/docs/middleware/oauth.md @@ -0,0 +1,102 @@ +--- +title: OAuth auth +layout: default +parent: Middleware +nav_order: 5 +--- + +### OAuth middleware + +Example of Google provider + +```yaml + - name: google-oauth + type: oauth + paths: + - /* + rule: + clientId: xxx + clientSecret: xxxx + # oauth provider google, gitlab, github, amazon, facebook, custom + provider: google # facebook, gitlab, github, amazon + redirectUrl: https://example.com/callback/protected + #RedirectPath is the PATH to redirect users after authentication, e.g: /my-protected-path/dashboard + redirectPath: /dashboard + scopes: + - https://www.googleapis.com/auth/userinfo.email + - https://www.googleapis.com/auth/userinfo.profile + state: randomStateString + jwtSecret: your-strong-jwt-secret | It's optional + +``` + +Example of Authentik provider + +```yaml + - name: oauth-authentik + type: oauth + paths: + - /protected + - /example-of-oauth + rule: + clientId: xxx + clientSecret: xxx + # oauth provider google, gitlab, github, amazon, facebook, custom + provider: custom + endpoint: + authUrl: https://authentik.example.com/application/o/authorize/ + tokenUrl: https://authentik.example.com/application/o/token/ + userInfoUrl: https://authentik.example.com/application/o/userinfo/ + redirectUrl: https://example.com/callback + #RedirectPath is the PATH to redirect users after authentication, e.g: /my-protected-path/dashboard + redirectPath: '' + #CookiePath e.g.: /my-protected-path or / || by default is applied on a route path + cookiePath: "/" + scopes: + - email + - openid + state: randomStateString + jwtSecret: your-strong-jwt-secret | It's optional + +``` +### Access middleware + +Access middleware prevents access to a route or specific route path. + +Example of access middleware +```yaml + # The server will return 403 + - name: api-forbidden-paths + type: access + ## prevents access paths + paths: + - /swagger-ui/* + - /v2/swagger-ui/* + - /api-docs/* + - /internal/* + - /actuator/* +``` +### RateLimit middleware + +The RateLimit middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is. + +Example of rateLimit middleware +```yaml + +``` + +### Apply middleware on the route + +```yaml + ##### Define routes + routes: + - name: Basic auth + path: /protected + rewrite: / + destination: 'https://example.com' + methods: [POST, PUT, GET] + healthCheck: + cors: {} + middlewares: + - oauth-authentik +``` \ No newline at end of file diff --git a/docs/middleware/rate-limit.md b/docs/middleware/rate-limit.md new file mode 100644 index 0000000..5bc3f67 --- /dev/null +++ b/docs/middleware/rate-limit.md @@ -0,0 +1,22 @@ +--- +title: Rate Limit +layout: default +parent: Middleware +nav_order: 6 +--- + + +### RateLimit middleware + +The RateLimit middleware ensures that services will receive a fair number of requests, and allows one to define what fair is. + +Example of global rateLimit middleware + +```yaml +version: 0.1.7 +gateway: + # Proxy rate limit, it's In-Memory IP based + rateLimit: 60 # peer minute + routes: + - name: Example +``` diff --git a/docs/quickstart.md b/docs/quickstart.md deleted file mode 100644 index b227d1a..0000000 --- a/docs/quickstart.md +++ /dev/null @@ -1,191 +0,0 @@ ---- -title: Quickstart -layout: default -nav_order: 2 ---- - - -## Usage - -### 1. Initialize configuration - -You can generate the configuration file using `config init --output /etc/goma/config.yml` command. - -The default configuration is automatically generated if any configuration file is not provided, and is available at `/etc/goma/goma.yml` - -```shell -docker run --rm --name goma-gateway \ - -v "${PWD}/config:/etc/goma/" \ - jkaninda/goma-gateway config init --output /etc/goma/config.yml -``` - -### 3. Start server with a custom config -```shell -docker run --rm --name goma-gateway \ - -v "${PWD}/config:/etc/goma/" \ - -p 8080:8080 \ - jkaninda/goma-gateway server --config /config/config.yml -``` -### 4. Healthcheck - -- Goma Gateway health check: `/health/live` -- Routes health check: `health/routes` - -### 5. Simple deployment in docker compose file - -```yaml -services: - goma-gateway: - image: jkaninda/goma-gateway - command: server - ports: - - "8080:8080" - - "8443:8443" - volumes: - - ./config:/etc/goma/ -``` - -## Customize configuration file - -Example of a configuration file -```yaml -# Goma Gateway configurations -gateway: - # Proxy write timeout - writeTimeout: 15 - # Proxy read timeout - readTimeout: 15 - # Proxy idle timeout - idleTimeout: 60 - ## SSL Certificate file - sslCertFile: '' #cert.pem - ## SSL Private Key file - sslKeyFile: ''#key.pem - # Proxy rate limit, it's In-Memory IP based - rateLimiter: 0 - accessLog: "/dev/Stdout" - errorLog: "/dev/stderr" - ## Enable, disable routes health check - disableHealthCheckStatus: false - ## Returns backend route healthcheck errors - disableRouteHealthCheckError: false - # Disable display routes on start - disableDisplayRouteOnStart: false - # disableKeepAlive allows enabling and disabling KeepALive server - disableKeepAlive: false - blockCommonExploits: false - # interceptErrors intercepts backend errors based on defined the status codes - interceptErrors: - - 405 - - 500 - # - 400 - # Proxy Global HTTP Cors - cors: - # Global routes cors for all routes - origins: - - http://localhost:8080 - - https://example.com - # Global routes cors headers for all routes - headers: - Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id' - Access-Control-Allow-Credentials: 'true' - Access-Control-Max-Age: 1728000 - ##### Define routes - routes: - # Example of a route | 1 - - name: Public - # host Domain/host based request routing - host: "" # Host is optional - path: /public - ## Rewrite a request path - # e.g rewrite: /store to / - rewrite: / - destination: https://example.com - #DisableHeaderXForward Disable X-forwarded header. - # [X-Forwarded-Host, X-Forwarded-For, Host, Scheme ] - # It will not match the backend route, by default, it's disabled - disableHeaderXForward: false - # Internal health check - healthCheck: '' #/internal/health/ready - # Route Cors, global cors will be overridden by route - cors: - # Route Origins Cors, route will override global cors origins - origins: - - https://dev.example.com - - http://localhost:3000 - - https://example.com - # Route Cors headers, route will override global cors headers - headers: - Access-Control-Allow-Methods: 'GET' - Access-Control-Allow-Headers: 'Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id' - Access-Control-Allow-Credentials: 'true' - Access-Control-Max-Age: 1728000 - ##### Apply middlewares to the route - ## The name must be unique - ## List of middleware name - middlewares: - - api-forbidden-paths - # Example of a route | 2 - - name: Basic auth - path: /protected - rewrite: / - destination: https://example.com - healthCheck: - cors: {} - middlewares: - - api-forbidden-paths - - basic-auth - -#Defines proxy middlewares -# middleware name must be unique -middlewares: - # Enable Basic auth authorization based - - name: basic-auth - # Authentication types | jwt, basic, OAuth - type: basic - paths: - - /user - - /admin - - /account - rule: - username: admin - password: admin - #Enables JWT authorization based on the result of a request and continues the request. - - name: google-auth - # Authentication types | jwt, basic, OAuth - # jwt authorization based on the result of backend's response and continue the request when the client is authorized - type: jwt - # Paths to protect - paths: - - /protected-access - - /example-of-jwt - #- /* or wildcard path - rule: - # This is an example URL - url: https://www.googleapis.com/auth/userinfo.email - # Required headers, if not present in the request, the proxy will return 403 - requiredHeaders: - - Authorization - # You can also get headers from the authentication request result and inject them into the next request header or params. - # In case you want to get headers from the authentication service and inject them into the next request headers. - # Set the request variable to the given value after the authorization request completes. - # In case you want to get headers from the authentication service and inject them into the next request headers. - # Key is authentication request response header Key. Value is the next Request header Key. - headers: - userId: Auth-UserId - userCountryId: Auth-UserCountryId - # In case you want to get headers from the Authentication service and inject them to the next request params. - #Key is authentication request response header Key. Value is the next Request parameter Key. - params: - userCountryId: countryId - # The server will return 403 - - name: api-forbidden-paths - type: access - ## prevents access paths - paths: - - /swagger-ui/* - - /v2/swagger-ui/* - - /api-docs/* - - /internal/* - - /actuator/* -``` diff --git a/docs/quickstart/gateway.md b/docs/quickstart/gateway.md new file mode 100644 index 0000000..76bd28d --- /dev/null +++ b/docs/quickstart/gateway.md @@ -0,0 +1,39 @@ +--- +title: Gateway +layout: default +parent: Quickstart +nav_order: 1 +--- + +# Gateway + +```yaml +version: 1.0 +gateway: + sslCertFile: cert.pem + sslKeyFile: key.pem + writeTimeout: 15 + readTimeout: 15 + idleTimeout: 30 + # Rate limiting + rateLimiter: 0 + accessLog: /dev/Stdout + errorLog: /dev/stderr + disableRouteHealthCheckError: false + disableDisplayRouteOnStart: false + disableKeepAlive: false + disableHealthCheckStatus: false + blockCommonExploits: true + interceptErrors: + - 500 + cors: + origins: + - http://localhost:8080 + - https://example.com + headers: + Access-Control-Allow-Credentials: "true" + Access-Control-Allow-Headers: Origin, Authorization, Accept, Content-Type, Access-Control-Allow-Headers, X-Client-Id, X-Session-Id + Access-Control-Max-Age: "1728000" + routes: +``` + diff --git a/docs/quickstart/healthcheck.md b/docs/quickstart/healthcheck.md new file mode 100644 index 0000000..a78792c --- /dev/null +++ b/docs/quickstart/healthcheck.md @@ -0,0 +1,54 @@ +--- +title: Healthcheck +layout: default +parent: Quickstart +nav_order: 5 +--- + + +# Healthcheck + +Goma comes with routes healthcheck, that can be enabled and disabled. + + +- Goma Gateway healthcheck: `/health/live` +- Routes health check: `health/routes` + +### Gateway healthcheck response: + +```json +{ + "name": "Service Gateway", + "status": "healthy", + "error": "" +} +``` +### Routes healthcheck response: + +```json +{ + "status": "healthy", + "routes": [ + { + "name": "order-service", + "status": "healthy", + "error": "" + }, + { + "name": "notification-service", + "status": "healthy", + "error": "" + }, + { + "name": "store-service", + "status": "healthy", + "error": "" + }, + { + "name": "account-service", + "status": "healthy", + "error": "" + } + ] +} +``` \ No newline at end of file diff --git a/docs/quickstart/index.md b/docs/quickstart/index.md new file mode 100644 index 0000000..9e420b5 --- /dev/null +++ b/docs/quickstart/index.md @@ -0,0 +1,8 @@ +--- +title: Quickstart +layout: default +nav_order: 3 +has_children: true +--- + +## Quickstart \ No newline at end of file diff --git a/docs/quickstart/loadbalanging.md b/docs/quickstart/loadbalanging.md new file mode 100644 index 0000000..05bd477 --- /dev/null +++ b/docs/quickstart/loadbalanging.md @@ -0,0 +1,12 @@ +--- +title: Load Balancing +layout: default +parent: Quickstart +nav_order: 4 +--- + + +# Load Balancing + + + diff --git a/docs/route.md b/docs/quickstart/route.md similarity index 98% rename from docs/route.md rename to docs/quickstart/route.md index f7fc88c..333a843 100644 --- a/docs/route.md +++ b/docs/quickstart/route.md @@ -1,17 +1,21 @@ --- -title: Routes +title: Route layout: default -nav_order: 3 +parent: Quickstart +nav_order: 2 --- -## Routes +# Route -The Route allows you to match on HTTP traffic and direct it to the backend. +The Route allows you to match on HTTP traffic and direct it to the backend. ### Example of a route ```yaml +version: 1.0 +gateway: + routes: - name: Example path: /store/cart rewrite: /cart diff --git a/docs/quickstart/ssl.md b/docs/quickstart/ssl.md new file mode 100644 index 0000000..2eea6b4 --- /dev/null +++ b/docs/quickstart/ssl.md @@ -0,0 +1,19 @@ +--- +title: SSL Certificate +layout: default +parent: Quickstart +nav_order: 4 +--- + + +# SSL Certificate + + + +```yaml +version: 1.0 +gateway: + sslCertFile: cert.pem + sslKeyFile: key.pem +``` + diff --git a/docs/robots.txt b/docs/robots.txt new file mode 100644 index 0000000..7d329b1 --- /dev/null +++ b/docs/robots.txt @@ -0,0 +1 @@ +User-agent: * diff --git a/docs/upgrade/index.md b/docs/upgrade/index.md new file mode 100644 index 0000000..34ecb13 --- /dev/null +++ b/docs/upgrade/index.md @@ -0,0 +1,8 @@ +--- +title: Upgrade Notes +layout: default +nav_order: 5 +has_children: true +--- + +## Upgrade Notes \ No newline at end of file diff --git a/examples/configMap.yaml b/examples/configMap.yaml index 7b82992..f005ce5 100644 --- a/examples/configMap.yaml +++ b/examples/configMap.yaml @@ -5,7 +5,7 @@ metadata: data: goma.yml: | # Goma Gateway configurations - version: 0.1.7 + version: 1.0 gateway: # Proxy write timeout writeTimeout: 15 diff --git a/examples/goma.yml b/examples/goma.yml index aac44c2..fc2b68e 100644 --- a/examples/goma.yml +++ b/examples/goma.yml @@ -1,5 +1,5 @@ # Goma Gateway configurations -version: 0.1.7 +version: 1.0 gateway: # Proxy write timeout writeTimeout: 15 diff --git a/goma.yml b/goma.yml index 6a5450c..2949f0e 100644 --- a/goma.yml +++ b/goma.yml @@ -1,4 +1,5 @@ # Goma Gateway configurations +version: 1.0 gateway: # Proxy write timeout writeTimeout: 15