· 6 years ago · Sep 16, 2019, 07:22 AM
1dsmp - development service (probably management) platform
2
3for internal/development/integration use only
4
5get started:
6 # cp app/etc/proxy.json /tmp/dsmp_config/
7 # docker build -t dsmp:latest .
8 # docker run -it -p 8080:80 -p 8443:443 -v /tmp/dsmp_config/:/config --tmpfs /ram dsmp:latest
9tmpfs is optional and only needed for lb-accounting if rule->url[] contains 2+ entries
10
11extended: replace httpd.conf, php.ini and proxy.json
12 # cp app/etc/* /tmp/dsmp_etc/
13 # docker run -it -p 8080:80 -p 8443:443 -v /tmp/dsmp_etc/:/app/etc/ --tmpfs /ram dsmp:latest
14
15config sytnax: proxy.json:
16looks complicated, but most settings are optional and only mentioned for documentation purposes.
17regex rules allow proxy-defined args to simulate different states and/or users (login, msisdn, kums,..)
18
19{ # <type> <opt><default> <comment>
20 "version": 20190915, # n required minmal proxy version
21 "name": "configs in readme file", # n configset name
22 "api": { # n
23 "path": "/???", # string n /??? exact query string for api calls
24 "key": "<apikey>" # string y no api key for config api, appended to api.path if set
25 },
26 "socket": { # y
27 "timeout": 30, # int y 30 socket timeout towards backends in seconds
28 "verify_peer": false # bool y true SSL/TLS verify peer certificate
29 },
30 "dsmp_error": [ 404, 500], # array(int) y [] set practically any status code
31 "dsmp_redirect": [ 302, 303, 307], # y [] do not pass redirects, but show 200 OK template
32 "transfer_encode": "plain", # y unchanged change transfer encoding of any content
33 # unchanged = original plain/deflate
34 # TODO plain = unpack everything
35 # TODO gzip = gzip deflate
36 # TODO bzip2 = bz2
37 "disable_methods": [ # array(string) y ["TRACE", disable certain HTTP methods
38 "COPY","DELETE","MKCOL","MOVE", # "CONNECT"] (webdav)
39 "OPTIONS" ,"PROPFIND","PROPPATCH",
40 "LOCK","UNLOCK","PATCH",
41 "CHECKOUT","UNCHECKOUT","CHECKIN", # (version control)
42 "UPDATE","LABEL","REPORT","MKWORKSPACE",
43 "MKACTIVITY","MERGE","INVALID",
44 "VERSION_CONTROL","BASELINE_CONTROL"
45 ],
46 "basic_auth" : true, # bool y true allow HTTP Basic auth
47 "output_buffer": 4096, # int y 4096 ob in bytes
48 "load_balance": "failover", # string y round-robin how to handle rules with url[] arrays. methods:
49 # round-robin = cycle requests [1-n]n
50 # failover = try 1 first, next 2, next n
51 # random = shuffle hosts
52 "indicate_ssl": "X-SSL: On", # string|bool y false set backend header if frontend is SSL
53 "rule_header": "X-Proxy-Rule", # string y set backend header containing the matched rulename
54 "login": { # y login/logout feature / SSO reverse proxy.
55 "cookie": "____proxy____", # string n session cookie name. hidden from backend
56 "username": "test", # string y "test" valid username
57 "back": { # y
58 "header": {
59 "add": [ "X-Session: user=someid" ] # array(string) y [] set header(s) if logged in
60 }
61 }
62 },
63 "rules": { # n first match+method wins
64 "example_rule_0": { # n rule name
65 "match": "%^/test/foo/%", # pcre n primary URL match
66 "methods": [ "GET", "HEAD", "POST" ], # array(string) y <any> apply rule only on mentioned methods
67 "local": "/test/foo", # string n path to substract (no trailing / if you start with /)
68 "xforwardedfor": false, # bool y true be rfc conformant; false = transparent
69 "via": false, # bool|string y false (true|false|"block") like mod_proxy "proxyvia"
70 "require_login": true, # bool y false use login feature. needs $settings->login->cookie
71 "back": { # n
72 "url": [ # mixed n proto(tls)://host:port/f0/f1 - connection string
73 "https://194.232.104.140", # can be a single string or for load-balancing,
74 "https://194.232.104.4", # an array
75 "https://194.232.104.149"],
76 "header": { # y headers towards backend (override "Host" if needed)
77 "add": [ # array(string) y [] raw header lines as array to add
78 "X-SIM-Behind-Proxy: 1",
79 "X-USER-MSISDN: 1"
80 ],
81 "remove": [ "User-Agent" ], # array(string) y [] raw header field names as array to remove
82 "replace": [ "Host: www.orf.at" ], # array(string) y [] headers to replace (only if present)
83 "referer": false # bool y true rewrite referers to look like the original
84 }
85 },
86 "front": { # y
87 "header": { # y headers towards clients
88 "add": [], # array(string) y [] raw header lines as array to add|overwrite
89 "remove": [], # array(string) y [] header field names as array to remove
90 "replace": [ # array(string) y [] headers to replace (only if present)
91 "X-Proxied: 1"
92 ],
93 "location": [ "/" ] # array(string) y [] rewrite Location: to $local/ if it starte with $entry
94 },
95 "cookie" : {
96 "block": [ "X-Tracker" ], # array(string) y [] block cookies by name
97 "path" : true, # bool y true rewrite "Path=" part of cookies
98 "domains" : [ "orf.at" ] # array(string) y [] list of domains to rewrite to $hostname
99 }
100 }
101 },
102
103 "example_rule_1_b": { # example #3 y more specific than example #2 = earlier config
104 "match": "%^/test/foo/.*DEBUGUSER=login%", #
105 "copy": "example_rule_1", # (string) y id of another rule, overwrite backend/frontend if set
106 "back": { # y no need to set backend->url using "copy"
107 "header": { # y
108 "add": [ "X-MSISDN: +4301231234567" ] # y
109 }
110 }
111 },
112
113 "example_rule_1": { # example #2 y more of the same
114 "match": "%^/test/bar/%",
115 "local": "/test/bar",
116 "back": {
117 "url": "https://10.0.0.140:9981/off/set",
118 "header": {
119 "add": ["X-SIM-Behind-Proxy: 1"]
120 }
121 }
122 }
123
124 }
125}
126
127known limitations:
128 * by implementation
129 - reserved paths:
130 - prefix "/===.script" - main controller
131 - prefix "/===.assets/" - assets for proxy websites
132 - POST "/===.login" - sso login post
133 - GET "/===.logout" - sso logout
134 - configurable default "/???" json config admin / api
135 - CONNECT, TRACE methods are generally disabled / unavailable
136 - Connection: Keep-alive has no backend pipelining
137 * by architecture
138 - max. POST and PUT sizes may differ
139 - socket and input timeouts may differ
140
141
142tested NOK:
143 * rule.front.header.replace['Server: foobar']
144 * HTTP Digest Auth
145
146untested:
147 * 204 No Content
148 * 206 partial content
149 * most request methods
150
151EOF