aproxy
is a reverse proxy that includes authentication. It is designed to protect the resources that you want to expose, but only allow some one has you permission to access.
Backend config:
Role List:
Authority config:
cd $GOPATH/src
git clone https://github.com/shunfei/aproxy.git
cd aproxy
sh ./install.sh
Go to releases page download the tar file.
tar xzvf aproxy-v0.1-xxxx-xxx-xx.tar.gz
cd aproxy-v0.1-xxxx-xxx-xx
cp conf/aproxy.toml.example conf/aproxy.toml
Before running, your need set up MongoDB and Redis (MongoDB for config storage, Redis for session storage),
and change the config in conf/aproxy.toml
.
./bin/aproxy -c conf/aproxy.toml
By now there is no users in the database, so let me add a user:
./bin/adduser -c conf/aproxy.toml -action adduser -email [email protected] -pwd passwordxxx
And the user added above do not have admin permission, so let me set it to admin.
./bin/adduser -c conf/aproxy.toml -action setadmin -email [email protected] -adminlevel 99
And now you can visit http://127.0.0.1:8098/-_-aproxy-_-/
and config your aproxy.
conf/aproxy.toml
Assuming that the resources required authorized all are the domain of pri.domain.com
's subdomain,
Aproxy nginx server configuration should look like:
server {
listen 80;
server_name pri.domain.com *.pri.domain.com;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# pass to aproxy
proxy_pass http://127.0.0.1:8098;
}
}
And then set the WildCard DNS Record *.pri.domain.com
to this nginx server.
Assume that we have the following domain:
- pri.domain.com
- hadoop.pri.domain.com
- druid.pri.domain.com
- aerospike.pri.domain.com
Then we can set the login domain to pri.domain.com
, to ensure that the sub-domain of pri.domain.com
( for example hadoop.pri.domain.com
) can get the session cookies after login.
So we change conf/aproxy.toml
to set the domain:
loginHost = "http://pri.domain.com"
[session]
domain = "pri.domain.com"
Aproxy's authority is base on email, so if your company's account system has email field, can be integration.
To integration with aproxy, just need implement the interface of aproxy/module/auth/UserStorager
.
type UserStorager interface {
Login(email, pwd string) (*User, error)
GetByEmail(email string) (*User, error)
GetAll() ([]User, error)
// add new user.
// user.Pwd field has encrypted.
Insert(user User) error
Update(id string, user User) error
}
If you don't need manage the user in aproxy, you can just implement the Login(email, pwd string) (*User, error)
func.
After implement the aproxy/module/auth/UserStorager
interface, we need change the code in aproxy/bin/main.go
:
//file: aproxy/bin/main.go
delete this line:
//auth.SetUserStorageToMongo()
add this code, to register your own UserStorager to aproxy
auth.SetUserStorage(&yourUserStorage{})