starred/godoxy
1
0
Fork 0
mirror of https://github.com/yusing/godoxy.git synced 2026-04-27 11:17:29 +02:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity
Files
c8d7d4f7d3951b2acdf2ac51ec29fb30e87b3273
godoxy/internal/route/provider/all_fields.yaml
Yuzerion 31eea0a885 feat(entrypoint): add inbound mTLS profiles for HTTPS (#220) 
Introduce reusable `inbound_mtls_profiles` in root config and support
`entrypoint.inbound_mtls_profile` to require client certificates for all
HTTPS traffic on an entrypoint. Profiles can trust the system CA store,
custom PEM CA files, or both, and are compiled into TLS client-auth
pools during entrypoint initialization.

Also add route-scoped `inbound_mtls_profile` support for HTTP-based
routes when no global entrypoint profile is configured. Route-level mTLS
selection is driven by TLS SNI, preserves existing behavior for open and
unmatched hosts, and returns the intended 421 response when secure
requests omit SNI or when Host and SNI resolve to different routes.

Add validation for missing profile references and unsupported non-HTTP
route usage, update config and route documentation/examples, expand
inbound mTLS handshake and routing regression coverage, and bump
`goutils` for HTTPS listener test support.
2026-04-15 12:14:22 +08:00

114 lines
2.8 KiB
YAML
Raw Blame History

example: # matching `example.y.z`
scheme: http
host: 10.0.0.254
port: 80
bind: 0.0.0.0
relay_proxy_protocol_header: false # tcp only, sends PROXY header to upstream
root: /var/www/example
spa: true
index: index.html
no_tls_verify: true
disable_compression: false
response_header_timeout: 30s
inbound_mtls_profile: corp # optional, only supported when no global entrypoint inbound_mtls_profile is configured; selected by TLS SNI and Host/SNI must resolve to the same route
ssl_server_name: "" # empty uses target hostname, "off" disables SNI
ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
ssl_certificate: /etc/ssl/client.crt
ssl_certificate_key: /etc/ssl/client.key
ssl_protocols:
- tlsv1.2
- tlsv1.3
path_patterns: # Check https://pkg.go.dev/net/http#hdr-Patterns-ServeMux for syntax
- GET / # accept any GET request
- POST /auth # for /auth and /auth/* accept only POST
- GET /home/{$} # for exactly /home
rules:
- name: default
do: pass
- name: block-admin
on: path /admin
do: error 403 Forbidden
rule_file: embed://webui.yml
healthcheck:
disabled: false
use_get: true
path: /
interval: 5s
timeout: 5s
retries: -1 # -1: immediate fail, 0: use default, >0: retry count
load_balance:
link: app # link to another route alias
mode: roundrobin # roundrobin, leastconn, iphash
weight: 1
sticky: false
sticky_max_age: 1h
options:
header: X-Forwarded-For
middlewares:
cidr_whitelist:
allow:
- 127.0.0.1
- 10.0.0.0/8
status_code: 403
message: IP not allowed
homepage:
show: true
name: Example App
icon: "@selfhst/adguard-home.png"
description: An example app
category: example
access_log:
path: /var/log/example.log
stdout: false
retention:
days: 30
rotate_interval: 24h
format: combined # common, combined, json
filters:
status_codes:
values:
- 200-299
- 101
method:
values:
- GET
host:
values:
- example.y.z
headers:
negative: true
values:
- foo=bar
- baz
cidr:
values:
- 192.168.10.0/24
fields:
headers:
default: drop
config:
foo: redact
authorization: drop
query:
default: keep
config:
foo: keep
password: redact
cookies:
default: drop
config:
session: keep
idlewatcher:
idle_timeout: 30m
wake_timeout: 30s
stop_timeout: 1m
stop_method: stop # pause, stop, kill
stop_signal: SIGTERM
start_endpoint: /api/wake
depends_on:
- other-service
no_loading_page: false
docker:
container_id: abc123
container_name: example-app
Reference in New Issue View Git Blame Copy Permalink