Skip to main content

Forward and reverse proxy using apache or nginx

Project description

Table of contents

  1. Intro
  2. Dependencies
  3. Running forevd
    1. Config Files
    2. Mutual TLS

Intro

forevd is a forward and reverse proxy that helps deliver authentication and, optionally, authorization as a sidecar.

This project was created to help eliminate any need to add authentication into your application code.

Dependencies

At the moment, forevd, runs using Apache, so you will need to have httpd or docker image of it available at runtime.

  • Apache
  • nginx (TBD)

Running forevd

The following proivides some details on how to run forevd. The way the options work are that anything provided immediately on the CLI, are "global" defaults; if you then provide config (optionally files), via the --locations, --ldap or --oidc options, then those will override the CLI options, of, e.g. --backend and --location

Config Files

You can optionally provide config files for more complicated setups; this section provides soem examples, which can be found in the etc directory.

The config files use Jinja2 templating via environment variables, so, instead of putting values in directly, you can use the form {{ ENV_VAR_NAME }} to have the environment varibale injected at runtime.

The following command line options support files: --locations, --ldap or --oidc, via the @ symbol, similar to curl's command line option --data, for example, --oidc @etc/oidc.yaml

Locations Config

This config allows you to provide much more control over each "location" or "endpoint" to your reverse proxy. For example, using different backends for different URLs or adding authorization. The format of the file is a dictionary of locations, or endpoints, and their correspondign data.

Example

The following adds LDAP group and static user authorization to /

- path: /
  authz:
    join_type: "any"
    ldap:
      url: "ldaps://127.0.0.1/DC=foo,DC=example,DC=com"
      bind-dn: "foo"
      bind-pw: "{{ LDAP_BINDID_PASSWORD }}"
      groups:
        - "CN=foobar,OU=groups,DC=example,DC=com"
    users:
      - erick.bourgeois

Let's break this down a bit:

  • the high level keys are endpoints
  • the next level is authorization config
  • the join_type key word tells forevd how to "combine" or join the two different authorizations, values are:
    • any: if any of the authorization types match, allow connection through
    • all: all of the authorization types must match to allow connection through

OIDC Config

This is useful for adding any other global OIDC config; there are required fields for the auth to work, e.g. ClientID and ClientSecret.

Example

ProviderMetadataUrl: "https://{{ OIDC_PROVIDER_NAME }}.us.auth0.com/.well-known/openid-configuration"
RedirectURI: "https://erick-pro.jeb.ca:8080/secure/redirect_uri"
ClientId: "{{ OIDC_CLIENT_ID }}"
ClientSecret: "{{ OIDC_CLIENT_SECRET }}"
Scope: '"openid profile"'
PKCEMethod: S256
RemoteUserClaim: nickname

LDAP Config

This is used for global LDAP config, e.g. setting cache information for mod_ldap. Note: The LDAP prefix is stripped, as it's redundant and it's added as part of the config generation.

Example

SharedCacheSize: 500000
CacheEntries: 1024
CacheTTL: 600
OpCacheEntries: 1024
OpCacheTTL: 600

Mutual TLS

The following command provides termination of mTLS on / and passes connections to a backend at http://0.0.0.0:8080

forevd --debug --listen 0.0.0.0:8080 \
    --ca-cert $PWD/../certs/ca/ca-cert.pem
    --cert $PWD/../certs/server.crt
    --cert-key $PWD/../certs/server.key
    --backend http://localhost:8081
    --location /
    --mtls require
    --server-name example.com
    --var-dir /var/tmp/apache

Authorization

To add authorization, it's recommended you use a config file for the --locations command line.

There is currently support for LDAP group lookup and static user names.

See Locations Example for more detail.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

forevd-0.1.8.tar.gz (12.8 kB view details)

Uploaded Source

Built Distribution

forevd-0.1.8-py3-none-any.whl (13.1 kB view details)

Uploaded Python 3

File details

Details for the file forevd-0.1.8.tar.gz.

File metadata

  • Download URL: forevd-0.1.8.tar.gz
  • Upload date:
  • Size: 12.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.9.17

File hashes

Hashes for forevd-0.1.8.tar.gz
Algorithm Hash digest
SHA256 6c2171c87c9fc81b38fb0bf6e906db83b48015eb884ae8a08bc5b35697558e4b
MD5 2a3fccb996476d65a0d98b65a744371e
BLAKE2b-256 8d797e882108ff9285d87837f9932a55406b1a826eb1f113ee1a0447a969cc16

See more details on using hashes here.

File details

Details for the file forevd-0.1.8-py3-none-any.whl.

File metadata

  • Download URL: forevd-0.1.8-py3-none-any.whl
  • Upload date:
  • Size: 13.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.9.17

File hashes

Hashes for forevd-0.1.8-py3-none-any.whl
Algorithm Hash digest
SHA256 d2f1aed792e6a3f156f200a7284c38c8aca0570477af7929264ed7c0db2bfc90
MD5 6a846f120c8dd5e0a5cc3b155b418ccf
BLAKE2b-256 3610ae8a980af0e29a50b6a3440e774c54197d296d93bb8352af3d93ff6aba0d

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page