From 453acf3d6698f42526909bf4d94cf985169c73ec Mon Sep 17 00:00:00 2001 From: David Christofas Date: Wed, 26 Oct 2022 15:22:45 +0200 Subject: [PATCH 1/3] add proxy README --- services/proxy/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 services/proxy/README.md diff --git a/services/proxy/README.md b/services/proxy/README.md new file mode 100644 index 000000000..79d687925 --- /dev/null +++ b/services/proxy/README.md @@ -0,0 +1,18 @@ +# Proxy Service + +The proxy service is an API-Gateway for the ownCloud Infinite Scale microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limitting or intrusion prevention are **not** included in the proxy service and must be setup in front like with an external reverse proxy. + +The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers. + +## Authentication + +The following request authentication schemes are implemented: + +- Basic Auth (Only use in development, **never in production** setups!) +- OpenID Connect +- Signed URL +- Public Share Token + +## Recommendations for production deployments + +In a production deployment, you want to have basic authentication disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall. From 0f2b427f035e4895fefd055447a8fcddc427c103 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 27 Oct 2022 12:11:00 +0200 Subject: [PATCH 2/3] Update services/proxy/README.md --- services/proxy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/proxy/README.md b/services/proxy/README.md index 79d687925..ef2b7102f 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -13,6 +13,6 @@ The following request authentication schemes are implemented: - Signed URL - Public Share Token -## Recommendations for production deployments +## Recommendations for Production Deployments In a production deployment, you want to have basic authentication disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall. From 3d5a6c36fc2bf46c5c9dce0735ce0b3811969d11 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 27 Oct 2022 12:56:06 +0200 Subject: [PATCH 3/3] Update services/proxy/README.md --- services/proxy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/proxy/README.md b/services/proxy/README.md index ef2b7102f..6c31a2974 100644 --- a/services/proxy/README.md +++ b/services/proxy/README.md @@ -15,4 +15,4 @@ The following request authentication schemes are implemented: ## Recommendations for Production Deployments -In a production deployment, you want to have basic authentication disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall. +In a production deployment, you want to have basic authentication (`PROXY_ENABLE_BASIC_AUTH`) disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall.