Skip to content

Latest commit

 

History

History
257 lines (218 loc) · 6.76 KB

security.md

File metadata and controls

257 lines (218 loc) · 6.76 KB

Security

As a production-ready cloud-native traffic orchestrator, Easegress cares about security and provides several features to ensure that.

Basic: Load Balance

name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: proxy
filters:
  - name: proxy
    kind: Proxy
    mainPool:
      servers:
      - url: https://127.0.0.1:9095
      - url: https://127.0.0.1:9096
      - url: https://127.0.0.1:9097
      loadBalance:
        policy: roundRobin

Security: Verify Credential

Header

  • Using Headers validation in Easegress. This is the simplest way for validating requests. It checks the HTTP request headers by using regular expression matching.
name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: header-validator
  - filter: proxy
filters:
  - kind: Validator
    name: header-validator
    headers:
      Is-Valid:
        values: ["abc", "goodplan"]
        regexp: "^ok-.+$"
  - name: proxy
    kind: Proxy
  • To enable Header type validator correctly in the pipeline, we should add it before filter Proxy.
  • As the example above, it will check the Is-Valid header field by trying to match abc or goodplan. Also, it will use ^ok-.+$ regular expression for checking if it can't match the values filed.

*For the full YAML, see here

JWT

  • Using JWT validation in Easegress. JWT is wildly used in the modern web environment. JSON Web Token (JWT, pronounced /dʒɒt/, same as the word "jot") is a proposed Internet standard for creating data with optional signature and/or optional encryption whose payload holds JSON that asserts some number of claims.[1]

Easegress supports three types of JWT, HS256, HS384, and HS512.

name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: jwt-validator
  - filter: proxy
filters:
  - kind: Validator
    name: jwt-validator
    jwt:
      cookieName: auth
      algorithm: HS256
      secret: 6d79736563726574
  - name: proxy
    kind: Proxy

The example above will check the value named auth in the cookie with HS256 with the secret,6d79736563726574. For the full YAML, see here

Signature

  • Using Signature validation in Easegress. Signature validation implements an Amazon Signature V4[2] compatible signature validation validator. Once you enable this kind of validation, please make sure your HTTP client has followed the signature generation process in AWS V4 doc and bring it to request Easegress.
name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: signature-validator
  - filter: proxy
filters:
  - kind: Validator
    name: signature-validator
    signature:
      accessKeys:
        AKID: SECRET
  - name: proxy
    kind: Proxy

The example here only uses an accessKeys for processing Amazon Signature V4 validation. It also has other complicated and customized fields for more security purposes. Check it out in the Easegress filter doc if needed.[3]

For the full YAML, see here

OAuth2

  • Using OAuth2 validation in Easegress. OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. This specification and its extensions are being developed within the IETF OAuth Working Group.[4]
name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: oauth-validator
  - filter: proxy
filters:
  - kind: Validator
    name: oauth-validator
    oauth2:
      tokenIntrospect:
      endPoint: https://127.0.0.1:8443/auth/realms/test/protocol/openid-connect/token/introspect
      clientId: easegress
      clientSecret: 42620d18-871d-465f-912a-ebcef17ecb82
      insecureTls: false
  - name: proxy
    kind: Proxy
  • The example above uses a token introspection server, which is provided by endpoint filed for validation. It also supports Self-Encoded Access Tokens mode which will require a JWT related configuration included. Check it out in the Easegress filter doc if needed. [5]

  • For the full YAML, see here

References

Header

name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: header-validator
  - filter: proxy
filters:
  - kind: Validator
    name: header-validator
    headers:
      Is-Valid:
        values: ["abc", "goodplan"]
        regexp: "^ok-.+$"
  - name: proxy
    kind: Proxy
    mainPool:
      servers:
      - url: https://127.0.0.1:9095
      - url: https://127.0.0.1:9096
      - url: https://127.0.0.1:9097
      loadBalance:
        policy: roundRobin

JWT

name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: jwt-validator
  - filter: proxy
filters:
  - kind: Validator
    name: jwt-validator
    jwt:
      cookieName: auth
      algorithm: HS256
      secret: 6d7973656372657
       - name: proxy
  - kind: Proxy
    mainPool:
      servers:
      - url: https://127.0.0.1:9095
      - url: https://127.0.0.1:9096
      - url: https://127.0.0.1:9097
      loadBalance:
        policy: roundRobin

Signature

name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: signature-validator
  - filter: proxy
filters:
  - kind: Validator
    name: signature-validator
    signature:
      accessKeys:
        AKID: SECRET
  - kind: Proxy
    mainPool:
      servers:
      - url: https://127.0.0.1:9095
      - url: https://127.0.0.1:9096
      - url: https://127.0.0.1:9097
      loadBalance:
        policy: roundRobin

OAuth2

name: pipeline-reverse-proxy
kind: HTTPPipeline
flow:
  - filter: oauth-validator
  - filter: proxy
filters:
  - kind: Validator
    name: oauth-validator
    oauth2:
      tokenIntrospect:
      endPoint: https://127.0.0.1:8443/auth/realms/test/protocol/openid-connect/token/introspect
      clientId: easegress
      clientSecret: 42620d18-871d-465f-912a-ebcef17ecb82
      insecureTls: false
  - kind: Proxy
    mainPool:
      servers:
      - url: https://127.0.0.1:9095
      - url: https://127.0.0.1:9096
      - url: https://127.0.0.1:9097
      loadBalance:
        policy: roundRobin

Concepts

  1. https://en.wikipedia.org/wiki/JSON_Web_Token
  2. https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
  3. https://github.com/megaease/easegress/blob/main/doc/filters.md#signerliteral
  4. https://oauth.net/2/
  5. https://github.com/megaease/easegress/blob/main/doc/filters.md#validatorOAuth2JWT