Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- dsmp - development service (probably management) platform
- for internal/development/integration use only
- get started:
- # cp app/etc/proxy.json /tmp/dsmp_config/
- # docker build -t dsmp:latest .
- # docker run -it -p 8080:80 -p 8443:443 -v /tmp/dsmp_config/:/config --tmpfs /ram dsmp:latest
- tmpfs is optional and only needed for lb-accounting if rule->url[] contains 2+ entries
- extended: replace httpd.conf, php.ini and proxy.json
- # cp app/etc/* /tmp/dsmp_etc/
- # docker run -it -p 8080:80 -p 8443:443 -v /tmp/dsmp_etc/:/app/etc/ --tmpfs /ram dsmp:latest
- config sytnax: proxy.json:
- looks complicated, but most settings are optional and only mentioned for documentation purposes.
- regex rules allow proxy-defined args to simulate different states and/or users (login, msisdn, kums,..)
- { # <type> <opt><default> <comment>
- "version": 20190915, # n required minmal proxy version
- "name": "configs in readme file", # n configset name
- "api": { # n
- "path": "/???", # string n /??? exact query string for api calls
- "key": "<apikey>" # string y no api key for config api, appended to api.path if set
- },
- "socket": { # y
- "timeout": 30, # int y 30 socket timeout towards backends in seconds
- "verify_peer": false # bool y true SSL/TLS verify peer certificate
- },
- "dsmp_error": [ 404, 500], # array(int) y [] set practically any status code
- "dsmp_redirect": [ 302, 303, 307], # y [] do not pass redirects, but show 200 OK template
- "transfer_encode": "plain", # y unchanged change transfer encoding of any content
- # unchanged = original plain/deflate
- # TODO plain = unpack everything
- # TODO gzip = gzip deflate
- # TODO bzip2 = bz2
- "disable_methods": [ # array(string) y ["TRACE", disable certain HTTP methods
- "COPY","DELETE","MKCOL","MOVE", # "CONNECT"] (webdav)
- "OPTIONS" ,"PROPFIND","PROPPATCH",
- "LOCK","UNLOCK","PATCH",
- "CHECKOUT","UNCHECKOUT","CHECKIN", # (version control)
- "UPDATE","LABEL","REPORT","MKWORKSPACE",
- "MKACTIVITY","MERGE","INVALID",
- "VERSION_CONTROL","BASELINE_CONTROL"
- ],
- "basic_auth" : true, # bool y true allow HTTP Basic auth
- "output_buffer": 4096, # int y 4096 ob in bytes
- "load_balance": "failover", # string y round-robin how to handle rules with url[] arrays. methods:
- # round-robin = cycle requests [1-n]n
- # failover = try 1 first, next 2, next n
- # random = shuffle hosts
- "indicate_ssl": "X-SSL: On", # string|bool y false set backend header if frontend is SSL
- "rule_header": "X-Proxy-Rule", # string y set backend header containing the matched rulename
- "login": { # y login/logout feature / SSO reverse proxy.
- "cookie": "____proxy____", # string n session cookie name. hidden from backend
- "username": "test", # string y "test" valid username
- "back": { # y
- "header": {
- "add": [ "X-Session: user=someid" ] # array(string) y [] set header(s) if logged in
- }
- }
- },
- "rules": { # n first match+method wins
- "example_rule_0": { # n rule name
- "match": "%^/test/foo/%", # pcre n primary URL match
- "methods": [ "GET", "HEAD", "POST" ], # array(string) y <any> apply rule only on mentioned methods
- "local": "/test/foo", # string n path to substract (no trailing / if you start with /)
- "xforwardedfor": false, # bool y true be rfc conformant; false = transparent
- "via": false, # bool|string y false (true|false|"block") like mod_proxy "proxyvia"
- "require_login": true, # bool y false use login feature. needs $settings->login->cookie
- "back": { # n
- "url": [ # mixed n proto(tls)://host:port/f0/f1 - connection string
- "https://194.232.104.140", # can be a single string or for load-balancing,
- "https://194.232.104.4", # an array
- "https://194.232.104.149"],
- "header": { # y headers towards backend (override "Host" if needed)
- "add": [ # array(string) y [] raw header lines as array to add
- "X-SIM-Behind-Proxy: 1",
- "X-USER-MSISDN: 1"
- ],
- "remove": [ "User-Agent" ], # array(string) y [] raw header field names as array to remove
- "replace": [ "Host: www.orf.at" ], # array(string) y [] headers to replace (only if present)
- "referer": false # bool y true rewrite referers to look like the original
- }
- },
- "front": { # y
- "header": { # y headers towards clients
- "add": [], # array(string) y [] raw header lines as array to add|overwrite
- "remove": [], # array(string) y [] header field names as array to remove
- "replace": [ # array(string) y [] headers to replace (only if present)
- "X-Proxied: 1"
- ],
- "location": [ "/" ] # array(string) y [] rewrite Location: to $local/ if it starte with $entry
- },
- "cookie" : {
- "block": [ "X-Tracker" ], # array(string) y [] block cookies by name
- "path" : true, # bool y true rewrite "Path=" part of cookies
- "domains" : [ "orf.at" ] # array(string) y [] list of domains to rewrite to $hostname
- }
- }
- },
- "example_rule_1_b": { # example #3 y more specific than example #2 = earlier config
- "match": "%^/test/foo/.*DEBUGUSER=login%", #
- "copy": "example_rule_1", # (string) y id of another rule, overwrite backend/frontend if set
- "back": { # y no need to set backend->url using "copy"
- "header": { # y
- "add": [ "X-MSISDN: +4301231234567" ] # y
- }
- }
- },
- "example_rule_1": { # example #2 y more of the same
- "match": "%^/test/bar/%",
- "local": "/test/bar",
- "back": {
- "url": "https://10.0.0.140:9981/off/set",
- "header": {
- "add": ["X-SIM-Behind-Proxy: 1"]
- }
- }
- }
- }
- }
- known limitations:
- * by implementation
- - reserved paths:
- - prefix "/===.script" - main controller
- - prefix "/===.assets/" - assets for proxy websites
- - POST "/===.login" - sso login post
- - GET "/===.logout" - sso logout
- - configurable default "/???" json config admin / api
- - CONNECT, TRACE methods are generally disabled / unavailable
- - Connection: Keep-alive has no backend pipelining
- * by architecture
- - max. POST and PUT sizes may differ
- - socket and input timeouts may differ
- tested NOK:
- * rule.front.header.replace['Server: foobar']
- * HTTP Digest Auth
- untested:
- * 204 No Content
- * 206 partial content
- * most request methods
- EOF
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement