mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2025-12-31 17:30:29 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea8181548aba80a2e55398ca11daef79ef6a44a8
opencloud/services/proxy
History
Florian Schade f38a9f4385 Introduce Policies-Service (#5716) 
* add policies service
add policies proxy middleware
add policies event service
add policies grpc service
prepare ci and git environments (ci, make, readme, doc)

* add webfinger to the drone conf

* fix docs
remove not used virus scan postprocessing step

* relocate example rego file
implicitly enable and disable proxy and postprocessing policy checking by setting the query.
update configuration descriptions

* move policies
update readme

* use converter func to convert pp environment to actual environment
expose and test custom rego functions
add engine unit tests
add opa unit tests
update policies readme

Co-authored-by: Martin <github@diemattels.at>

* relocate sample policies to the deployments folder
change and document policies service port

* update index.md and small fix

* add health command
add version command
add debug server

---------

Co-authored-by: Martin <github@diemattels.at>
2023-03-14 16:08:22 +01:00
..
cmd/proxy
refactor extensions -> services
2022-06-27 14:05:36 +02:00
docker
rename folder extensions -> services
2022-06-27 14:05:36 +02:00
pkg
Introduce Policies-Service (#5716)
2023-03-14 16:08:22 +01:00
.dockerignore
rename folder extensions -> services
2022-06-27 14:05:36 +02:00
Makefile
rename folder extensions -> services
2022-06-27 14:05:36 +02:00
README.md
update quota text
2023-02-23 10:19:07 +01:00

README.md

Proxy Service

The proxy service is an API-Gateway for the ownCloud Infinite Scale microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limitting or intrusion prevention are not included in the proxy service and must be setup in front like with an external reverse proxy.

The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers.

Authentication

The following request authentication schemes are implemented:

  • Basic Auth (Only use in development, never in production setups!)
  • OpenID Connect
  • Signed URL
  • Public Share Token

Automatic Quota Assignments

It is possible to automatically assign a specific quota to new users depending on their role. To do this, you need to configure a mapping between roles defined by their ID and the quota in bytes. The assignment can only be done via a yaml configuration and not via environment variables. See the following proxy.yaml config snippet for a configuration example.

role_quotas:
    <role ID1>: <quota1>
    <role ID2>: <quota2>

Recommendations for Production Deployments

In a production deployment, you want to have basic authentication (PROXY_ENABLE_BASIC_AUTH) disabled which is the default state. You also want to setup a firewall to only allow requests to the proxy service or the reverse proxy if you have one. Requests to the other services should be blocked by the firewall.

Reference in New Issue View Git Blame Copy Permalink