mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-11-23 12:31:07 +01:00
docs/vmauth.md: document the case with default url_prefix additionally to url_map
This commit is contained in:
parent
9e0c37be2d
commit
0a8c9c5ee7
@ -57,32 +57,28 @@ func TestRequestHandler(t *testing.T) {
|
||||
// regular url_prefix
|
||||
cfgStr := `
|
||||
unauthorized_user:
|
||||
url_prefix: {BACKEND}/foo?bar=baz
|
||||
`
|
||||
url_prefix: {BACKEND}/foo?bar=baz`
|
||||
requestURL := "http://some-host.com/abc/def?some_arg=some_value"
|
||||
backendHandler := func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected := `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/foo/abc/def?bar=baz&some_arg=some_value
|
||||
`
|
||||
requested_url={BACKEND}/foo/abc/def?bar=baz&some_arg=some_value`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// keep_original_host
|
||||
cfgStr = `
|
||||
unauthorized_user:
|
||||
url_prefix: "{BACKEND}/foo?bar=baz"
|
||||
keep_original_host: true
|
||||
`
|
||||
keep_original_host: true`
|
||||
requestURL = "http://some-host.com/abc/def"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url=http://some-host.com/foo/abc/def?bar=baz
|
||||
`
|
||||
requested_url=http://some-host.com/foo/abc/def?bar=baz`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// override request host
|
||||
@ -90,16 +86,14 @@ requested_url=http://some-host.com/foo/abc/def?bar=baz
|
||||
unauthorized_user:
|
||||
url_prefix: "{BACKEND}/foo?bar=baz"
|
||||
headers:
|
||||
- "Host: other-host:12345"
|
||||
`
|
||||
- "Host: other-host:12345"`
|
||||
requestURL = "http://some-host.com/abc/def"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url=http://other-host:12345/foo/abc/def?bar=baz
|
||||
`
|
||||
requested_url=http://other-host:12345/foo/abc/def?bar=baz`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// /-/reload handler failure
|
||||
@ -109,16 +103,14 @@ requested_url=http://other-host:12345/foo/abc/def?bar=baz
|
||||
}
|
||||
cfgStr = `
|
||||
unauthorized_user:
|
||||
url_prefix: "{BACKEND}/foo"
|
||||
`
|
||||
url_prefix: "{BACKEND}/foo"`
|
||||
requestURL = "http://some-host.com/-/reload"
|
||||
backendHandler = func(_ http.ResponseWriter, _ *http.Request) {
|
||||
panic(fmt.Errorf("backend handler shouldn't be called"))
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=401
|
||||
The provided authKey doesn't match -reloadAuthKey
|
||||
`
|
||||
The provided authKey doesn't match -reloadAuthKey`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
if err := reloadAuthKey.Set(origAuthKey); err != nil {
|
||||
t.Fatalf("unexpected error: %s", err)
|
||||
@ -128,8 +120,7 @@ The provided authKey doesn't match -reloadAuthKey
|
||||
cfgStr = `
|
||||
users:
|
||||
- username: foo
|
||||
url_prefix: "{BACKEND}/bar"
|
||||
`
|
||||
url_prefix: "{BACKEND}/bar"`
|
||||
requestURL = "http://some-host.com/a/b"
|
||||
backendHandler = func(_ http.ResponseWriter, _ *http.Request) {
|
||||
panic(fmt.Errorf("backend handler shouldn't be called"))
|
||||
@ -137,8 +128,7 @@ users:
|
||||
responseExpected = `
|
||||
statusCode=401
|
||||
Www-Authenticate: Basic realm="Restricted"
|
||||
missing 'Authorization' request header
|
||||
`
|
||||
missing 'Authorization' request header`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// incorrect authorization
|
||||
@ -146,16 +136,14 @@ missing 'Authorization' request header
|
||||
users:
|
||||
- username: foo
|
||||
password: secret
|
||||
url_prefix: "{BACKEND}/bar"
|
||||
`
|
||||
url_prefix: "{BACKEND}/bar"`
|
||||
requestURL = "http://foo:invalid-secret@some-host.com/a/b"
|
||||
backendHandler = func(_ http.ResponseWriter, _ *http.Request) {
|
||||
panic(fmt.Errorf("backend handler shouldn't be called"))
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=401
|
||||
Unauthorized
|
||||
`
|
||||
Unauthorized`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// correct authorization
|
||||
@ -163,75 +151,66 @@ Unauthorized
|
||||
users:
|
||||
- username: foo
|
||||
password: secret
|
||||
url_prefix: "{BACKEND}/bar"
|
||||
`
|
||||
url_prefix: "{BACKEND}/bar"`
|
||||
requestURL = "http://foo:secret@some-host.com/a/b"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/bar/a/b
|
||||
`
|
||||
requested_url={BACKEND}/bar/a/b`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// verify how path cleanup works
|
||||
cfgStr = `
|
||||
unauthorized_user:
|
||||
url_prefix: {BACKEND}/foo?bar=baz
|
||||
`
|
||||
url_prefix: {BACKEND}/foo?bar=baz`
|
||||
requestURL = "http://some-host.com/../../a//.///bar/"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/foo/a/bar/?bar=baz
|
||||
`
|
||||
requested_url={BACKEND}/foo/a/bar/?bar=baz`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// verify how path cleanup works for url without path
|
||||
cfgStr = `
|
||||
unauthorized_user:
|
||||
url_prefix: {BACKEND}/foo?bar=baz
|
||||
`
|
||||
url_prefix: {BACKEND}/foo?bar=baz`
|
||||
requestURL = "http://some-host.com/"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/foo?bar=baz
|
||||
`
|
||||
requested_url={BACKEND}/foo?bar=baz`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// verify how path cleanup works for url without path if url_prefix path ends with /
|
||||
cfgStr = `
|
||||
unauthorized_user:
|
||||
url_prefix: {BACKEND}/foo/?bar=baz
|
||||
`
|
||||
url_prefix: {BACKEND}/foo/?bar=baz`
|
||||
requestURL = "http://some-host.com/"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/foo/?bar=baz
|
||||
`
|
||||
requested_url={BACKEND}/foo/?bar=baz`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// verify how path cleanup works for url without path and the url_prefix without path prefix
|
||||
cfgStr = `
|
||||
unauthorized_user:
|
||||
url_prefix: {BACKEND}/?bar=baz
|
||||
`
|
||||
url_prefix: {BACKEND}/?bar=baz`
|
||||
requestURL = "http://some-host.com/"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/?bar=baz
|
||||
`
|
||||
requested_url={BACKEND}/?bar=baz`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// verify routing to default_url
|
||||
@ -240,16 +219,30 @@ unauthorized_user:
|
||||
url_map:
|
||||
- src_paths: ["/foo/.+"]
|
||||
url_prefix: {BACKEND}/x-foo/
|
||||
default_url: {BACKEND}/404.html
|
||||
`
|
||||
default_url: {BACKEND}/404.html`
|
||||
requestURL = "http://some-host.com/abc?de=fg"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/404.html?request_path=http%3A%2F%2Fsome-host.com%2Fabc%3Fde%3Dfg
|
||||
`
|
||||
requested_url={BACKEND}/404.html?request_path=http%3A%2F%2Fsome-host.com%2Fabc%3Fde%3Dfg`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
|
||||
// verify routing to default url_prefix
|
||||
cfgStr = `
|
||||
unauthorized_user:
|
||||
url_map:
|
||||
- src_paths: ["/foo/.+"]
|
||||
url_prefix: {BACKEND}/x-foo/
|
||||
url_prefix: {BACKEND}/default`
|
||||
requestURL = "http://some-host.com/abc?de=fg"
|
||||
backendHandler = func(w http.ResponseWriter, r *http.Request) {
|
||||
fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
|
||||
}
|
||||
responseExpected = `
|
||||
statusCode=200
|
||||
requested_url={BACKEND}/default/abc?de=fg`
|
||||
f(cfgStr, requestURL, backendHandler, responseExpected)
|
||||
}
|
||||
|
||||
|
@ -78,8 +78,7 @@ For example, the following [`-auth.config`](#auth-config) instructs `vmauth` to
|
||||
For example, the request to `http://vmauth:8427/app1/foo/bar?baz=qwe` is proxied to `http://app1-backend/foo/bar?baz=qwe`.
|
||||
- Requests starting with `/app2/` are proxied to `http://app2-backend/`, while the `/app2/` path prefix is dropped according to [`drop_src_path_prefix_parts`](#dropping-request-path-prefix).
|
||||
For example, the request to `http://vmauth:8427/app2/index.html` is proxied to `http://app2-backend/index.html`.
|
||||
- Other requests are proxied to `http://some-backend/404-page.html`, while the requested path is passed via `request_path` query arg.
|
||||
For example, the request to `http://vmauth:8427/foo/bar?baz=qwe` is proxied to `http://some-backend/404-page.html?request_path=%2Ffoo%2Fbar%3Fbaz%3Dqwe`.
|
||||
- Other requests are proxied to `http://default-backed/`.
|
||||
|
||||
```yaml
|
||||
unauthorized_user:
|
||||
@ -92,7 +91,26 @@ unauthorized_user:
|
||||
- "/app2/.*"
|
||||
drop_src_path_prefix_parts: 1
|
||||
url_prefix: "http://app2-backend/"
|
||||
default_url: http://some-backend/404-page.html
|
||||
url_prefix: "http://default-backed/"
|
||||
```
|
||||
|
||||
Sometimes it is needed to proxy all the requests, which do not match `url_map`, to a special `404` page, which could count invalid requests.
|
||||
Use `default_url` for this case. For example, the following [`-auth.config`](#auth-config) instructs `vmauth` sending all the requests,
|
||||
which do not match `url_map`, to the `http://some-backend/404-page.html` page. The requested path is passed via `request_path` query arg.
|
||||
For example, the request to `http://vmauth:8427/foo/bar?baz=qwe` is proxied to `http://some-backend/404-page.html?request_path=%2Ffoo%2Fbar%3Fbaz%3Dqwe`.
|
||||
|
||||
```yaml
|
||||
unauthorized_user:
|
||||
url_map:
|
||||
- src_paths:
|
||||
- "/app1/.*"
|
||||
drop_src_path_prefix_parts: 1
|
||||
url_prefix: "http://app1-backend/"
|
||||
- src_paths:
|
||||
- "/app2/.*"
|
||||
drop_src_path_prefix_parts: 1
|
||||
url_prefix: "http://app2-backend/"
|
||||
default_url: "http://some-backend/404-page.html"
|
||||
```
|
||||
|
||||
See [routing docs](#routing) for details.
|
||||
|
Loading…
Reference in New Issue
Block a user