2c98d3246c
* initial webfinger stub Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add webfinger to proxy, return current host Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * some cleanup Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * allow passing multiple rel params Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * introduce interfaces Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * parse oidc auth token Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add templating, drop chain, use map of relation providers Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * fix ocis url yaml Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * fix typos Co-authored-by: Dominik Schmidt <dschmidt@owncloud.com> * switch to userinfo claims Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * readme cleanup Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add TODO.md with ideas Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * replace subject on authenticated request responses Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * Apply suggestions from code review Co-authored-by: Martin <github@diemattels.at> * markdown lint Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * return a 401 when bearer token expired, some more docs Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * Apply suggestions from code review Co-authored-by: Martin <github@diemattels.at> * fix docs Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * clarify env var Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * extract handler func Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use correct service in reflex.conf Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * test relations Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * Update services/webfinger/pkg/config/config.go --------- Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> Co-authored-by: Dominik Schmidt <dschmidt@owncloud.com> Co-authored-by: Martin <github@diemattels.at>
Proxy Service
The proxy service is an API-Gateway for the ownCloud Infinite Scale microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limitting or intrusion prevention are not included in the proxy service and must be setup in front like with an external reverse proxy.
The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers.
Authentication
The following request authentication schemes are implemented:
- Basic Auth (Only use in development, never in production setups!)
- OpenID Connect
- Signed URL
- Public Share Token
Recommendations for Production Deployments
In a production deployment, you want to have basic authentication (PROXY_ENABLE_BASIC_AUTH) disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall.