Skip to main content

Forward and reverse proxy using apache or nginx

Project description

Table of contents

  1. Intro
  2. Dependencies
  3. Running forevd
  4. Config Files
    1. OIDC Config
    2. LDAP
  5. Mutual TLS
  6. Authorization

Intro

forevd is a forward and reverse proxy that helps deliver authentication and, optionally, authorization as a sidecar.

This project was created to help eliminate any need to add authentication into your application code.

Dependencies

At the moment, forevd, runs using Apache, so you will need to have httpd or docker image of it available at runtime.

  • Apache
  • nginx (TBD)

Running forevd

The following proivides some details on how to run forevd. The way the options work is that anything provided immediately on the CLI, are "global" defaults; if you then provide config (optionally files), via the --locations, --ldap or --oidc options, then those will override the CLI options, of, e.g. --backend and --location.

Config Files

You can optionally provide config files for more complicated setups; this section provides soem examples, which can be found in the etc directory.

The config files use Jinja2 templating via environment variables, so, instead of putting values in directly, you can use the form {{ ENV_VAR_NAME }} to have the environment varibale injected at runtime.

The following command line options support files: --locations, --ldap or --oidc, via the @ symbol, similar to curl's command line option --data, for example, --oidc @etc/oidc.yaml

Locations Config

This config allows you to provide much more control over each "location" or "endpoint" to your reverse proxy. For example, using different backends for different URLs or adding authorization. The format of the file is a dictionary of locations, or endpoints, and their correspondign data.

Keys

There are 5 key config options for each location:

  1. path: the path, location or endpoint of what to protect or unprotect
  2. match: whether the path value is a regex or match
  3. authc: this is the authentication (aka authc) key, representing what authc to enable; this is dictionary with keys being either mtls or oidc.
  4. authz: this is the authorization (aka authz) key, representing what authz to enable; this is dictionary with keys, see below example and details at the Authorization section.

Note: remember that global authentication options --oidc and mtls, so if you want to set OIDC across all endpoints, except, say, /api, you would need to disable it explicitly with:

- path: /api
  authc:
    oidc: false

Example

The following adds LDAP group and static user authorization to /

- path: /
  authz:
    join_type: "any"
    ldap:
      url: "ldaps://127.0.0.1/DC=foo,DC=example,DC=com"
      bind-dn: "foo"
      bind-pw: "{{ LDAP_BINDID_PASSWORD }}"
      groups:
        - "CN=foobar,OU=groups,DC=example,DC=com"
    users:
      - erick.bourgeois

Let's break this down a bit:

  • the high level keys are endpoints
  • the next level is authorization config
  • the join_type key word tells forevd how to "combine" or join the two different authorizations, values are:
    • any: if any of the authorization types match, allow connection through
    • all: all of the authorization types must match to allow connection through

OIDC Config

This is useful for adding any other global OIDC config; there are required fields for the auth to work, e.g. ClientID and ClientSecret.

Example

ProviderMetadataUrl: "https://{{ OIDC_PROVIDER_NAME }}.us.auth0.com/.well-known/openid-configuration"
RedirectURI: "https://erick-pro.jeb.ca:8080/secure/redirect_uri"
ClientId: "{{ OIDC_CLIENT_ID }}"
ClientSecret: "{{ OIDC_CLIENT_SECRET }}"
Scope: '"openid profile"'
PKCEMethod: S256
RemoteUserClaim: nickname

LDAP Config

This is used for global LDAP config, e.g. setting cache information for mod_ldap. Note: The LDAP prefix is stripped, as it's redundant and it's added as part of the config generation.

Example

SharedCacheSize: 500000
CacheEntries: 1024
CacheTTL: 600
OpCacheEntries: 1024
OpCacheTTL: 600

Mutual TLS

The following command provides termination of mTLS on / and passes connections to a backend at http://0.0.0.0:8080

forevd --debug --listen 0.0.0.0:8080 \
    --ca-cert $PWD/../certs/ca/ca-cert.pem
    --cert $PWD/../certs/server.crt
    --cert-key $PWD/../certs/server.key
    --backend http://localhost:8081
    --location /
    --mtls require
    --server-name example.com
    --var-dir /var/tmp/apache

Authorization

To add authorization, it's recommended you use a config file for the --locations command line.

There is currently support for LDAP group lookups, static user names, or allow all valid users. Here are the keys supported:

  1. allow_all: this key let's forevd know to allow all valid users through
  2. join_type: this is the "join" type between all authorizations setup
  • any: if any of the authorization types match, allow connection through
  • all: all of the authorization types must match to allow connection through
  1. ldap: this is the LDAP configuration for group lookups, keys are:
    • url: LDAP URL, e.g. ldaps://127.0.0.1/DC=foo,DC=example,DC=com
    • bind-dn: the DN for bind operation
    • bind-pw: the password for bind operation
    • groups: a list of groups DNs
  2. users: a list of user names to verify against

See Locations Example for more detail.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

forevd-0.3.3.tar.gz (11.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

forevd-0.3.3-py3-none-any.whl (14.0 kB view details)

Uploaded Python 3

File details

Details for the file forevd-0.3.3.tar.gz.

File metadata

  • Download URL: forevd-0.3.3.tar.gz
  • Upload date:
  • Size: 11.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.25

File hashes

Hashes for forevd-0.3.3.tar.gz
Algorithm Hash digest
SHA256 0e974fd1ce116cb4368587b2dffd56d787c01929eaddef66136f27ff1253de91
MD5 81459bbccfaa2fd4de215bfa7a3f8f0c
BLAKE2b-256 ddfd36da0639a4bd687fa4865a9b85e1620e262cb48a43dc54a07c7f2cd884c0

See more details on using hashes here.

File details

Details for the file forevd-0.3.3-py3-none-any.whl.

File metadata

  • Download URL: forevd-0.3.3-py3-none-any.whl
  • Upload date:
  • Size: 14.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.25

File hashes

Hashes for forevd-0.3.3-py3-none-any.whl
Algorithm Hash digest
SHA256 9146609c7c1041c12e25d044785346c385da26434e62d31fe015338f01dbca09
MD5 ae37dbad70ed658491da141b5ab9a783
BLAKE2b-256 1956bfd1b252d0936b8a626186e97b8ade9168a2d43619d7850cc0bc19024aa9

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page