Skip to content
/ go-policy-proxy Public

A reverse proxy for filtering requests using user defined policies.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

xinau/go-policy-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
cmd/proxy
cmd/proxy
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
policies.jwcc
policies.jwcc
 
 

Repository files navigation

go-policy-proxy

A reverse proxy for filtering requests using user defined policies.

Requests are only forwarded to a target if they are allowed by a policy, therefore matching it's url path and rule. Rules are written in CEL (Common Expression Language) and can rejected requests based on request metadata like url parameters and query, request headers, i.e.

[{
    "path": "/v1/users/{firstname}",
    "expr": "url.params[\"firstname\"] == \"grace\" && req.header[\"lastname\"][0] == \"hopper\"",
}]

Usage

The policy proxy can be build using a recent Go toolchain and started by providing a target url and policies file.

go build -o policy-proxy ./cmd/proxy
./policy-proxy --target-url=https://example.com --policies-file=./policies.jwcc

Configuration

The proxy can be configured through the following command-line flags

--listen-addr (default :8000):
Address to listen for incoming requests to the proxy.

--metrics-addr (default :4000): Address to expose Prometheus /metrics endpoint on.

--policies-file:
Path to file containing request policies written in JWCC.

--target-url:
Base URL of target where requests are being forwarded to. If the URL contains a path element it will be prepended to the path inside of a policy.

Policies

The polices file is written in JWCC (JSON with Commas and Comments) using the following format.

[{
// url path pattern to match requests against
"path": string,

// cel programm for validating request metadata
"rule": string,
} ... ]

A policy's rule is a CEL programm with access to the following request metadata in it's environment.

req.header (map[string][]string):
HTTP headers of request.

url.params (map[string]string):
URL parameters by name (defined inside the policy's path).

url.path (string):
URL path of the request.

url.query (map[string][]string):
URL query of request.

Metrics

The policy proxy exposes the following metrics in Prometheus formate under a seperate address under the /metrics enpoint.

http_request_total (Counter):
Total number of HTTP requests.

http_request_duration_seconds (Histogram):
Histogram of latencies for HTTP request in seconds.

http_request_denied_total (Counter):
Total number of denied HTTP requests.

http_request_in_flight (Gauge):
Number of HTTP requests currently serving.

LICENSE

This project is under MIT license.

About

A reverse proxy for filtering requests using user defined policies.

Topics

cel

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages