starred/godoxy
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-04-14 13:10:16 +02:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity
Files
b082d6dc77f1a076fa985c8abe870f9520c43bb6
godoxy/internal/route/provider/all_fields.yaml
yusing 2a3823091d feat(entrypoint): add inbound mTLS profiles for HTTPS 
Add root-level inbound_mtls_profiles combining optional system CAs with PEM
CA files, and entrypoint.inbound_mtls_profile to require client certificates
on every HTTPS connection. Route-level inbound_mtls_profile is allowed only
without a global profile; per-handshake TLS picks ClientCAs from SNI, and
requests fail with 421 when Host and SNI would select different mTLS routes.

Compile pools at init (SetInboundMTLSProfiles from state.initEntrypoint) and
reject unknown profile refs or mixed global-plus-route configuration.

Extend config.example.yml and package READMEs; add entrypoint and config
tests for TLS mutation, handshakes, and validation.
2026-04-13 15:14:57 +08:00

114 lines
2.8 KiB
YAML
Raw Blame History

example: # matching `example.y.z`
scheme: http
host: 10.0.0.254
port: 80
bind: 0.0.0.0
relay_proxy_protocol_header: false # tcp only, sends PROXY header to upstream
root: /var/www/example
spa: true
index: index.html
no_tls_verify: true
disable_compression: false
response_header_timeout: 30s
inbound_mtls_profile: corp # optional, only supported when no global entrypoint inbound_mtls_profile is configured; selected by TLS SNI and Host/SNI must resolve to the same route
ssl_server_name: "" # empty uses target hostname, "off" disables SNI
ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
ssl_certificate: /etc/ssl/client.crt
ssl_certificate_key: /etc/ssl/client.key
ssl_protocols:
- tlsv1.2
- tlsv1.3
path_patterns: # Check https://pkg.go.dev/net/http#hdr-Patterns-ServeMux for syntax
- GET / # accept any GET request
- POST /auth # for /auth and /auth/* accept only POST
- GET /home/{$} # for exactly /home
rules:
- name: default
do: pass
- name: block-admin
on: path /admin
do: error 403 Forbidden
rule_file: embed://webui.yml
healthcheck:
disabled: false
use_get: true
path: /
interval: 5s
timeout: 5s
retries: -1 # -1: immediate fail, 0: use default, >0: retry count
load_balance:
link: app # link to another route alias
mode: roundrobin # roundrobin, leastconn, iphash
weight: 1
sticky: false
sticky_max_age: 1h
options:
header: X-Forwarded-For
middlewares:
cidr_whitelist:
allow:
- 127.0.0.1
- 10.0.0.0/8
status_code: 403
message: IP not allowed
homepage:
show: true
name: Example App
icon: "@selfhst/adguard-home.png"
description: An example app
category: example
access_log:
path: /var/log/example.log
stdout: false
retention:
days: 30
rotate_interval: 24h
format: combined # common, combined, json
filters:
status_codes:
values:
- 200-299
- 101
method:
values:
- GET
host:
values:
- example.y.z
headers:
negative: true
values:
- foo=bar
- baz
cidr:
values:
- 192.168.10.0/24
fields:
headers:
default: drop
config:
foo: redact
authorization: drop
query:
default: keep
config:
foo: keep
password: redact
cookies:
default: drop
config:
session: keep
idlewatcher:
idle_timeout: 30m
wake_timeout: 30s
stop_timeout: 1m
stop_method: stop # pause, stop, kill
stop_signal: SIGTERM
start_endpoint: /api/wake
depends_on:
- other-service
no_loading_page: false
docker:
container_id: abc123
container_name: example-app
Reference in New Issue View Git Blame Copy Permalink