forked from cloudflare/privacy-gateway-server-go
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
315 lines (276 loc) · 10.4 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
// Copyright (c) 2022 Cloudflare, Inc. All rights reserved.
// SPDX-License-Identifier: BSD-3-Clause
package main
import (
"bytes"
"crypto/rand"
"encoding/hex"
"fmt"
"io"
"log"
"net/http"
"os"
"strconv"
"strings"
"github.com/chris-wood/ohttp-go"
"github.com/cloudflare/circl/hpke"
)
const (
// keying material (seed) should have as many bits of entropy as the bit
// length of the x25519 secret key
defaultSeedLength = 32
// HTTP constants. Fill in your proxy and target here.
defaultPort = "8080"
defaultGatewayEndpoint = "/gateway"
defaultConfigEndpoint = "/ohttp-keys"
defaultLegacyConfigEndpoint = "/ohttp-configs"
defaultEchoEndpoint = "/gateway-echo"
defaultMetadataEndpoint = "/gateway-metadata"
defaultHealthEndpoint = "/health"
// service name to be reported as a label to monitoring subsystem
defaultMonitoringServiceName = "ohttp_gateway"
// Environment variables
gatewayEndpointEnvVariable = "GATEWAY_ENDPOINT"
configEndpointEnvVariable = "CONFIG_ENDPOINT"
legacyConfigEndpointEnvVariable = "LEGACY_CONFIG_ENDPOINT"
echoEndpointEnvVariable = "ECHO_ENDPOINT"
metadataEndpointEnvVariable = "METADATA_ENDPOINT"
healthEndpointEnvVariable = "HEALTH_ENDPOINT"
configurationIdEnvironmentVariable = "CONFIGURATION_ID"
secretSeedEnvironmentVariable = "SEED_SECRET_KEY"
targetOriginAllowList = "ALLOWED_TARGET_ORIGINS"
customRequestEncodingType = "CUSTOM_REQUEST_TYPE"
customResponseEncodingType = "CUSTOM_RESPONSE_TYPE"
certificateEnvironmentVariable = "CERT"
keyEnvironmentVariable = "KEY"
statsdHostVariable = "MONITORING_STATSD_HOST"
statsdPortVariable = "MONITORING_STATSD_PORT"
statsdTimeoutVariable = "MONITORING_STATSD_TIMEOUT_MS"
monitoringServiceNameEnvironmentVariable = "MONITORING_SERVICE_NAME"
gatewayDebugEnvironmentVariable = "GATEWAY_DEBUG"
gatewayVerboseEnvironmentVariable = "VERBOSE"
logSecretsEnvironmentVariable = "LOG_SECRETS"
)
type gatewayServer struct {
requestLabel string
responseLabel string
endpoints map[string]string
target *gatewayResource
metricsFactory MetricsFactory
}
func (s gatewayServer) formatConfiguration(w io.Writer) {
fmt.Fprint(w, "OHTTP Gateway\n")
fmt.Fprint(w, "----------------\n")
fmt.Fprintf(w, "Config endpoint: %s\n", s.endpoints["Config"])
fmt.Fprintf(w, "Legacy config endpoint: %s\n", s.endpoints["LegacyConfig"])
fmt.Fprintf(w, "Target endpoint: %s\n", s.endpoints["Target"])
fmt.Fprintf(w, " Request content type: %s\n", s.requestLabel)
fmt.Fprintf(w, " Response content type: %s\n", s.responseLabel)
fmt.Fprintf(w, "Echo endpoint: %s\n", s.endpoints["Echo"])
fmt.Fprintf(w, "Metadata endpoint: %s\n", s.endpoints["Metadata"])
fmt.Fprint(w, "----------------\n")
}
func (s gatewayServer) indexHandler(w http.ResponseWriter, r *http.Request) {
s.formatConfiguration(w)
}
func (s gatewayServer) healthCheckHandler(w http.ResponseWriter, r *http.Request) {
log.Printf("%s Handling %s\n", r.Method, r.URL.Path)
fmt.Fprint(w, "ok")
}
func getUintEnv(key string, defaultVal uint64) uint64 {
val := os.Getenv(key)
if val == "" {
return defaultVal
}
ret, err := strconv.ParseUint(val, 10, 64)
if err != nil {
return defaultVal
}
return ret
}
func getBoolEnv(key string, defaultVal bool) bool {
val := os.Getenv(key)
if val == "" {
return defaultVal
}
ret, err := strconv.ParseBool(val)
if err != nil {
return defaultVal
}
return ret
}
func getStringEnv(key string, defaultVal string) string {
val := os.Getenv(key)
if val == "" {
return defaultVal
}
return val
}
func main() {
port := os.Getenv("PORT")
if port == "" {
port = defaultPort
}
logSecrets := getBoolEnv(logSecretsEnvironmentVariable, false)
var seed []byte
if seedHex := os.Getenv(secretSeedEnvironmentVariable); seedHex != "" {
if logSecrets {
log.Printf("Using Secret Key Seed: [%v]", seedHex)
} else {
log.Print("Using Secret Key Seed provided in environment variable")
}
var err error
seed, err = hex.DecodeString(seedHex)
if err != nil {
panic(err)
}
} else {
seed = make([]byte, defaultSeedLength)
rand.Read(seed)
}
var allowedOrigins map[string]bool
var originAllowList string
if originAllowList = os.Getenv(targetOriginAllowList); originAllowList != "" {
origins := strings.Split(originAllowList, ",")
allowedOrigins = make(map[string]bool)
for _, origin := range origins {
allowedOrigins[origin] = true
}
}
var certFile string
if certFile = os.Getenv(certificateEnvironmentVariable); certFile == "" {
certFile = "cert.pem"
}
var keyFile string
enableTLSServe := true
if keyFile = os.Getenv(keyEnvironmentVariable); keyFile == "" {
keyFile = "key.pem"
enableTLSServe = false
}
debugResponse := getBoolEnv(gatewayDebugEnvironmentVariable, false)
verbose := getBoolEnv(gatewayVerboseEnvironmentVariable, false)
monitoringServiceName := getStringEnv(monitoringServiceNameEnvironmentVariable, defaultMonitoringServiceName)
configID := uint8(getUintEnv(configurationIdEnvironmentVariable, 0))
config, err := ohttp.NewConfigFromSeed(configID, hpke.KEM_X25519_KYBER768_DRAFT00, hpke.KDF_HKDF_SHA256, hpke.AEAD_AES128GCM, seed)
if err != nil {
log.Fatalf("Failed to create gateway configuration from seed: %s", err)
}
// From the primary configuration ID, create a key ID for the legacy configuration that old
// clients will use for obtaining configuration material. This will eventually be removed once all
// clients have been updated to support the primary configuration ID.
legacyConfigID := uint8((configID - 128) % 255)
seed[len(seed)-1] ^= 0xFF
legacyConfig, err := ohttp.NewConfigFromSeed(legacyConfigID, hpke.KEM_X25519_HKDF_SHA256, hpke.KDF_HKDF_SHA256, hpke.AEAD_AES128GCM, seed)
if err != nil {
log.Fatalf("Failed to create legacy gateway configuration from seed: %s", err)
}
// Create the default HTTP handler
httpHandler := FilteredHttpRequestHandler{
client: &http.Client{},
allowedOrigins: allowedOrigins,
logForbiddenErrors: verbose,
}
// Create the default gateway and its request handler chain
var gateway ohttp.Gateway
var targetHandler EncapsulationHandler
requestLabel := os.Getenv(customRequestEncodingType)
responseLabel := os.Getenv(customResponseEncodingType)
if requestLabel == "" || responseLabel == "" || requestLabel == responseLabel {
gateway = ohttp.NewDefaultGateway([]ohttp.PrivateConfig{config, legacyConfig})
requestLabel = "message/bhttp request"
responseLabel = "message/bhttp response"
targetHandler = DefaultEncapsulationHandler{
gateway: gateway,
appHandler: BinaryHTTPAppHandler{
httpHandler: httpHandler,
},
}
} else if requestLabel == "message/protohttp request" && responseLabel == "message/protohttp response" {
gateway = ohttp.NewCustomGateway([]ohttp.PrivateConfig{config, legacyConfig}, requestLabel, responseLabel)
targetHandler = DefaultEncapsulationHandler{
gateway: gateway,
appHandler: ProtoHTTPAppHandler{
httpHandler: httpHandler,
},
}
} else {
panic("Unsupported application content handler")
}
// Create the echo handler chain
echoHandler := DefaultEncapsulationHandler{
gateway: gateway,
appHandler: EchoAppHandler{},
}
// Create the metadata handler chain
metadataHandler := MetadataEncapsulationHandler{
gateway: gateway,
}
// Configure metrics
metricsHost := os.Getenv(statsdHostVariable)
metricsPort := os.Getenv(statsdPortVariable)
metricsTimeout, err := strconv.ParseInt(os.Getenv(statsdTimeoutVariable), 10, 64)
if err != nil {
log.Printf("Failed parsing metrics timeout: %s", err)
metricsTimeout = 100
}
client, err := createStatsDClient(metricsHost, metricsPort, int(metricsTimeout))
if err != nil {
log.Fatalf("Failed to create statsd client: %s", err)
}
defer client.Close()
metricsFactory := &StatsDMetricsFactory{
serviceName: monitoringServiceName,
metricsName: "ohttp_gateway_duration",
client: client,
}
// Load endpoint configuration defaults
gatewayEndpoint := getStringEnv(gatewayEndpointEnvVariable, defaultGatewayEndpoint)
configEndpoint := getStringEnv(configEndpointEnvVariable, defaultConfigEndpoint)
legacyConfigEndpoint := getStringEnv(legacyConfigEndpointEnvVariable, defaultLegacyConfigEndpoint)
echoEndpoint := getStringEnv(echoEndpointEnvVariable, defaultEchoEndpoint)
metadataEndpoint := getStringEnv(metadataEndpointEnvVariable, defaultMetadataEndpoint)
healthEndpoint := getStringEnv(healthEndpointEnvVariable, defaultHealthEndpoint)
// Install configuration endpoints
handlers := make(map[string]EncapsulationHandler)
handlers[gatewayEndpoint] = targetHandler // Content-specific handler
handlers[echoEndpoint] = echoHandler // Content-agnostic handler
handlers[metadataEndpoint] = metadataHandler // Metadata handler
target := &gatewayResource{
verbose: verbose,
legacyKeyID: legacyConfigID,
gateway: gateway,
encapsulationHandlers: handlers,
debugResponse: debugResponse,
metricsFactory: metricsFactory,
}
endpoints := make(map[string]string)
endpoints["Target"] = gatewayEndpoint
endpoints["Health"] = healthEndpoint
endpoints["Config"] = configEndpoint
endpoints["LegacyConfig"] = legacyConfigEndpoint
endpoints["Echo"] = echoEndpoint
endpoints["Metadata"] = metadataEndpoint
server := gatewayServer{
requestLabel: requestLabel,
responseLabel: responseLabel,
endpoints: endpoints,
target: target,
}
http.HandleFunc(gatewayEndpoint, server.target.gatewayHandler)
http.HandleFunc(echoEndpoint, server.target.gatewayHandler)
http.HandleFunc(metadataEndpoint, server.target.gatewayHandler)
http.HandleFunc(healthEndpoint, server.healthCheckHandler)
http.HandleFunc(legacyConfigEndpoint, target.legacyConfigHandler)
http.HandleFunc(configEndpoint, target.configHandler)
http.HandleFunc("/", server.indexHandler)
var b bytes.Buffer
server.formatConfiguration(io.Writer(&b))
log.Println(b.String())
if enableTLSServe {
log.Printf("Listening on port %v with cert %v and key %v\n", port, certFile, keyFile)
log.Fatal(http.ListenAndServeTLS(fmt.Sprintf(":%s", port), certFile, keyFile, nil))
} else {
log.Printf("Listening on port %v without enabling TLS\n", port)
log.Fatal(http.ListenAndServe(fmt.Sprintf(":%s", port), nil))
}
}