Fixes #283

vfarcic · vfarcic · commit 42c130da13f7 · 2017-07-08T23:53:24.000+02:00
diff --git a/Dockerfile.test b/Dockerfile.test
@@ -12,5 +12,6 @@ RUN apt-get update && \
 COPY . /src
 WORKDIR /src
 RUN chmod +x /src/run-tests.sh
+RUN go get -d -v -t
 
 CMD ["sh", "-c", "/src/run-tests.sh"]
diff --git a/actions/reconfigure_test.go b/actions/reconfigure_test.go
@@ -264,6 +264,25 @@ backend https-myService-be1234
 	s.Equal(expected, actual)
 }
 
+func (s ReconfigureTestSuite) Test_GetTemplates_AddsHttpDeny() {
+	s.reconfigure.Mode = "service"
+	s.reconfigure.Service.HttpsPort = 4321
+	s.reconfigure.Service.ServiceDest[0].Port = "1234"
+	s.reconfigure.Service.ServiceDest[0].DenyHttp = true
+	expected := `
+backend myService-be1234
+    mode http
+    http-request deny if !{ ssl_fc }
+    server myService myService:1234
+backend https-myService-be1234
+    mode http
+    server myService myService:4321`
+
+	_, actual, _ := s.reconfigure.GetTemplates()
+
+	s.Equal(expected, actual)
+}
+
 func (s ReconfigureTestSuite) Test_GetTemplates_AddsLoggin_WhenDebug() {
 	debugOrig := os.Getenv("DEBUG")
 	defer func() { os.Setenv("DEBUG", debugOrig) }()
diff --git a/docs/blocking.md b/docs/blocking.md
@@ -0,0 +1,169 @@
+# Blocking Requests
+
+This article provides examples that can be used as a starting point when configuring the proxy to block requests based on their method type or protocol.
+
+## Requirements
+
+The examples that follow assume that you are using Docker v1.13+, Docker Compose v1.10+, and Docker Machine v0.9+.
+
+!!! info
+	If you are a Windows user, please run all the examples from *Git Bash* (installed through *Docker Toolbox*). Also, make sure that your Git client is configured to check out the code *AS-IS*. Otherwise, Windows might change carriage returns to the Windows format.
+
+Please note that *Docker Flow Proxy* is not limited to *Docker Machine*. We're using it as an easy way to create a cluster.
+
+## Swarm Cluster Setup
+
+To setup an example Swarm cluster using Docker Machine, please run the commands that follow.
+
+!!! tip
+	Feel free to skip this section if you already have a working Swarm cluster.
+
+```bash
+curl -o swarm-cluster.sh \
+    https://raw.githubusercontent.com/\
+vfarcic/docker-flow-proxy/master/scripts/swarm-cluster.sh
+
+chmod +x swarm-cluster.sh
+
+./swarm-cluster.sh
+
+eval $(docker-machine env node-1)
+```
+
+Now we're ready to deploy the services that form the proxy stack and the demo services.
+
+```bash
+docker network create --driver overlay proxy
+
+curl -o docker-compose-stack.yml \
+    https://raw.githubusercontent.com/\
+vfarcic/docker-flow-proxy/master/docker-compose-stack.yml
+
+docker stack deploy -c docker-compose-stack.yml proxy
+
+curl -o docker-compose-go-demo.yml \
+    https://raw.githubusercontent.com/\
+vfarcic/go-demo/master/docker-compose-stack.yml
+
+docker stack deploy -c docker-compose-go-demo.yml go-demo
+```
+
+Please consult [Using Docker Stack To Run Docker Flow Proxy In Swarm Mode](/swarm-mode-stack/) for a more detailed set of examples of deployment with Docker stack.
+
+We should wait until all the services are running before proceeding towards the examples that will block requests.
+
+```bash
+docker service ls
+```
+
+Now we are ready to explore way to block access requests.
+
+## Blocking Requests Based on Request Type
+
+In some cases, we want to deny certain types of methods to requests sent through the proxy. A common use case would be a service that can accept `DELETE` request which should be performed only by other services connected to it through internal networking.
+
+We can block requests by specifying which types are allowed.
+
+Please execute the command that follows.
+
+```
+docker service update \
+    --label-add "com.df.allowedMethods=GET,DELETE" \
+    go-demo_main
+```
+
+We specified the `com.df.allowedMethods` label that tells the proxy that only `GET` and `DELETE` methods are allowed. A request with any other method will be denied.
+
+Let's confirm that the feature indeed works as expected.
+
+```bash
+curl -i "http://$(docker-machine ip node-1)/demo/hello"
+```
+
+We sent an `GET` request (default type) and the output is as follows.
+
+```
+TODO
+```
+
+Since get is on the list of allowed request methods, we got OK (status code `200`) indicating that the proxy allowed it to pass to the destination service.
+
+Let's confirm that the behavior is the same with a `DELETE` request.
+
+```bash
+curl -i -XDELETE \
+    "http://$(docker-machine ip node-1)/demo/hello"
+```
+
+Just as with the `GET` request, the response is `200`. The proxy allowed it as well.
+
+According to the current configuration, any other request method should be denied. Let's test it with, for example, a `PUT` request.
+
+```bash
+curl -i -XPUT \
+    "http://$(docker-machine ip node-1)/demo/hello"
+```
+
+```
+TODO
+```
+
+This time, the proxy responded with TODO (status code TODO). The request method is not on the list of those that are allowed and proxy choose not to forward it to the destination service. Instead, it returned with TODO.
+
+Similarly, we can choose which methods to deny.
+
+```bash
+docker service update \
+    --label-rm "com.df.allowedMethods" \
+    --label-add "com.df.deniedMethods=DELETE" \
+    go-demo_main
+```
+
+We removed the `com.df.allowedMethods` label and created `com.df.deniedMethods` with the value `DELETE`.
+
+If we send an `GET` request, the response should be `200` since it is not on the list of those that are denied.
+
+```bash
+curl -i \
+    "http://$(docker-machine ip node-1)/demo/hello"
+```
+
+On the other hand, if we choose to send an `DELETE` request, the response should be denied.
+
+```bash
+curl -i -XDELETE \
+    "http://$(docker-machine ip node-1)/demo/hello"
+```
+
+We got the response TODO proving that no one can send a `DELETE` request to our service.
+
+Let's remove the `deniedMethods` label and explore how we can block HTTP request.
+
+```bash
+docker service update \
+    --label-rm "com.df.deniedMethods" \
+    go-demo_main
+```
+
+## Blocking HTTP Requests
+
+TODO: Continue writing
+
+```bash
+docker service update \
+    --label-add "com.df.denyHttp=true" \
+    go-demo_main
+
+curl -i \
+    "http://$(docker-machine ip node-1)/demo/hello"
+
+# NOTE: No certs, so not HTTPS
+```
+
+## Summary
+
+TODO: Write
+
+```bash
+docker-machine rm node-1 node-2 node-3
+```
diff --git a/docs/usage.md b/docs/usage.md
@@ -37,7 +37,7 @@ The following query parameters can be used to send a *reconfigure* request to *D
 |timeoutTunnel  |The tunnel timeout in seconds.<br>**Example:** `3600`                                            |3600   |
 |xForwardedProto|Whether to add "X-Forwarded-Proto https" header.<br>**Example:** `true`                          |false  |
 
-Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain``allowedMethods`, `deniedMethods`, or `ReqMode` parameters. In that case, `srcPort` is required.
+Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain``allowedMethods`, `deniedMethods`, `denyHttp` or `ReqMode` parameters. In that case, `srcPort` is required.
 
 ### HTTP Mode Query Parameters
 
@@ -47,6 +47,7 @@ The following query parameters can be used only when `reqMode` is set to `http`
 |-------------|--------------------------------------------------------------------------------|
 |allowedMethods|The list of allowed methods. If specified, a request with a method that is not on the list will be denied. Multiple methods can be separated with comma (`,`). The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `allowedMethods.1`, `allowedMethods.2`, and so on).<br>**Example:** `GET,DELETE`|
 |deniedMethods|The list of denied methods. If specified, a request with a method that is on the list will be denied. Multiple methods can be separated with comma (`,`). The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `deniedMethods.1`, `deniedMethods.2`, and so on).<br>**Example:** `PUT,POST`|
+|denyHttp     |Whether to deny HTTP requests thus allowing only HTTPS. The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `denyHttp.1`, `denyHttp.2`, and so on).<br>**Example:** `true`<br>**Default Value:** `false`|
 |httpsOnly    |If set to true, HTTP requests to the service will be redirected to HTTPS.<br>**Example:** `true`<br>**Default Value:** `false`|
 |outboundHostname|The hostname where the service is running, for instance on a separate swarm. If specified, the proxy will dispatch requests to that domain.<br>**Example:** `ecme.com`|
 |pathType     |The ACL derivative. Defaults to *path_beg*. See [HAProxy path](https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.6-path) for more info.<br>**Example:** `path_beg`|
@@ -65,7 +66,7 @@ The following query parameters can be used only when `reqMode` is set to `http`
 |usersPassEncrypted|Indicates whether passwords provided by `users` or `usersSecret` contain encrypted data. Passwords can be encrypted with the command `mkpasswd -m sha-512 password1`.<br>**Example:** `true`<br>**Default Value:** `false`|
 |verifyClientSsl|Whether to verify client SSL and, if it is not valid, deny request and return 403 Forbidden status code. SSL is validated against the `ca-file` specified through the environment variable `CA_FILE`.<br>**Example:** true<br>**Default Value:** `false`|
 
-Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain`, `allowedMethods`, `deniedMethods`, or `ReqMode` parameters. In that case, `srcPort` is required.
+Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain`, `allowedMethods`, `deniedMethods`, `denyHttp` or `ReqMode` parameters. In that case, `srcPort` is required.
 
 ### TCP Mode HTTP Query Parameters
 
diff --git a/integration_tests/integration_swarm_test.go b/integration_tests/integration_swarm_test.go
@@ -610,6 +610,15 @@ func (s IntegrationSwarmTestSuite) Test_Methods() {
 	s.Equal(403, resp.StatusCode, s.getProxyConf())
 }
 
+func (s IntegrationSwarmTestSuite) Test_DenyHttp() {
+	s.reconfigureGoDemo("&denyHttp=true")
+
+	resp, err := s.sendHelloRequest()
+
+	s.NoError(err)
+	s.Equal(403, resp.StatusCode, s.getProxyConf())
+}
+
 // Util
 
 func (s *IntegrationSwarmTestSuite) areContainersRunning(expected int, name string) bool {
@@ -651,7 +660,7 @@ func (s *IntegrationSwarmTestSuite) waitForContainers(expected int, name string)
 		i = i + 1
 		time.Sleep(1 * time.Second)
 	}
-	time.Sleep(5 * time.Second)
+	time.Sleep(2 * time.Second)
 }
 
 func (s *IntegrationSwarmTestSuite) createGoDemoService() {
diff --git a/proxy/template.go b/proxy/template.go
@@ -144,6 +144,9 @@ backend {{$.ServiceName}}-be{{.Port}}
             {{- if .DeniedMethods}}
     acl valid_denied_method method{{range .DeniedMethods}} {{.}}{{end}}
     http-request deny if valid_denied_method
+            {{- end}}
+            {{- if .DenyHttp}}
+    http-request deny if !{ ssl_fc }
             {{- end}}
             {{- if $.HttpsOnly}}
     redirect scheme https if !{ ssl_fc }
diff --git a/proxy/types.go b/proxy/types.go
@@ -14,6 +14,8 @@ type ServiceDest struct {
 	AllowedMethods []string
 	// The list of denied methods. If specified, a request with a method that is on the list will be denied.
 	DeniedMethods []string
+	// Whether to deny HTTP requests thus allowing only HTTPS.
+	DenyHttp bool
 	// Whether to ignore authorization for this service destination.
 	IgnoreAuthorization bool
 	// The internal port of a service that should be reconfigured.
@@ -369,6 +371,7 @@ func getServiceDest(sr *Service, provider ServiceParameterProvider, index int) S
 	return ServiceDest{
 		AllowedMethods:      getSliceFromString(provider, fmt.Sprintf("allowedMethods%s", suffix)),
 		DeniedMethods:       getSliceFromString(provider, fmt.Sprintf("deniedMethods%s", suffix)),
+		DenyHttp:            getBoolParam(provider, fmt.Sprintf("denyHttp%s", suffix)),
 		IgnoreAuthorization: getBoolParam(provider, fmt.Sprintf("ignoreAuthorization%s", suffix)),
 		Port:                provider.GetString(fmt.Sprintf("port%s", suffix)),
 		ReqMode:             reqMode,
diff --git a/proxy/types_test.go b/proxy/types_test.go
@@ -229,6 +229,7 @@ func (s *TypesTestSuite) getServiceMap(expected Service, indexSuffix string) map
 		// ServiceDest
 		"allowedMethods" + indexSuffix:      strings.Join(expected.ServiceDest[0].AllowedMethods, ","),
 		"deniedMethods" + indexSuffix:       strings.Join(expected.ServiceDest[0].DeniedMethods, ","),
+		"denyHttp" + indexSuffix:            strconv.FormatBool(expected.ServiceDest[0].DenyHttp),
 		"ignoreAuthorization" + indexSuffix: strconv.FormatBool(expected.ServiceDest[0].IgnoreAuthorization),
 		"port" + indexSuffix:                expected.ServiceDest[0].Port,
 		"reqMode" + indexSuffix:             expected.ServiceDest[0].ReqMode,
@@ -262,6 +263,7 @@ func (s *TypesTestSuite) getExpectedService() Service {
 		ServiceDest: []ServiceDest{{
 			AllowedMethods:      []string{"GET", "DELETE"},
 			DeniedMethods:       []string{"PUT", "POST"},
+			DenyHttp:            true,
 			IgnoreAuthorization: true,
 			ServiceDomain:       []string{"domain1", "domain2"},
 			ServiceHeader:       map[string]string{"X-Version": "3", "name": "Viktor"},
