From 68e56ac540a2db20e07266e319e8882de717ff9e Mon Sep 17 00:00:00 2001 From: wollomatic Date: Thu, 19 Sep 2024 22:23:06 +0200 Subject: [PATCH 1/4] update changelog --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1e54d51..970148d 100644 --- a/README.md +++ b/README.md @@ -186,7 +186,7 @@ socket-proxy can be configured via command line parameters or via environment va | `-stoponwatchdog` | `SP_STOPONWATCHDOG` | (not set/false) | If set, socket-proxy will be stopped if the watchdog detects that the unix socket is not available. | | `-watchdoginterval` | `SP_WATCHDOGINTERVAL` | `0` | Check for socket availabibity every x seconds (disable checks, if not set or value is 0) | | `-proxysocketendpoint` | `SP_PROXYSOCKETENDPOINT` | (not set) | Proxy to the given unix socket instead of a TCP port | -| `-proxysocketendpointfilemode` | `SP_PROXYSOCKETENDPOINTFILEMODE` | `0400` | Explicitly set the file mode for the filtered unix socket endpoint (only useful with `-proxysocketendpoint`) | +| `-proxysocketendpointfilemode` | `SP_PROXYSOCKETENDPOINTFILEMODE` | `0600` | Explicitly set the file mode for the filtered unix socket endpoint (only useful with `-proxysocketendpoint`) | ### Changelog @@ -200,6 +200,8 @@ socket-proxy can be configured via command line parameters or via environment va 1.4 - allow configuration from env variables +1.5 - allow unix socket as proxied/filtered endpoint + ## License This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details. From b565bbed3ea70dec5785bf6103cb0e32b07ead24 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sat, 21 Sep 2024 16:22:12 +0200 Subject: [PATCH 2/4] fix some linter issues --- cmd/socket-proxy/handlehttprequest.go | 5 ++--- cmd/socket-proxy/main.go | 14 +++++++------- internal/config/config.go | 6 +++--- 3 files changed, 12 insertions(+), 13 deletions(-) diff --git a/cmd/socket-proxy/handlehttprequest.go b/cmd/socket-proxy/handlehttprequest.go index ce016bf..24ca7c1 100644 --- a/cmd/socket-proxy/handlehttprequest.go +++ b/cmd/socket-proxy/handlehttprequest.go @@ -8,11 +8,10 @@ import ( "strings" ) -// handleHttpRequest checks if the request is allowed and sends it to the proxy. +// handleHTTPRequest checks if the request is allowed and sends it to the proxy. // Otherwise, it returns a "405 Method Not Allowed" or a "403 Forbidden" error. // In case of an error, it returns a 500 Internal Server Error. -func handleHttpRequest(w http.ResponseWriter, r *http.Request) { - +func handleHTTPRequest(w http.ResponseWriter, r *http.Request) { if cfg.ProxySocketEndpoint == "" { // do not perform this check if we proxy to a unix socket allowedIP, err := isAllowedClient(r.RemoteAddr) if err != nil { diff --git a/cmd/socket-proxy/main.go b/cmd/socket-proxy/main.go index 8853d0a..615d013 100644 --- a/cmd/socket-proxy/main.go +++ b/cmd/socket-proxy/main.go @@ -4,7 +4,6 @@ import ( "context" "errors" "fmt" - "github.com/wollomatic/socket-proxy/internal/config" "log/slog" "net" "net/http" @@ -15,10 +14,12 @@ import ( "runtime" "syscall" "time" + + "github.com/wollomatic/socket-proxy/internal/config" ) const ( - programUrl = "github.com/wollomatic/socket-proxy" + programURL = "github.com/wollomatic/socket-proxy" logAddSource = false // set to true to log the source position (file and line) of the log message ) @@ -55,7 +56,7 @@ func main() { slog.SetDefault(logger) // print configuration - slog.Info("starting socket-proxy", "version", version, "os", runtime.GOOS, "arch", runtime.GOARCH, "runtime", runtime.Version(), "URL", programUrl) + slog.Info("starting socket-proxy", "version", version, "os", runtime.GOOS, "arch", runtime.GOARCH, "runtime", runtime.Version(), "URL", programURL) if cfg.ProxySocketEndpoint == "" { slog.Info("configuration info", "socketpath", cfg.SocketPath, "listenaddress", cfg.ListenAddress, "loglevel", cfg.LogLevel, "logjson", cfg.LogJSON, "allowfrom", cfg.AllowFrom, "shutdowngracetime", cfg.ShutdownGraceTime) } else { @@ -90,8 +91,8 @@ func main() { } // define the reverse proxy - socketUrlDummy, _ := url.Parse("http://localhost") // dummy URL - we use the unix socket - socketProxy = httputil.NewSingleHostReverseProxy(socketUrlDummy) + socketURLDummy, _ := url.Parse("http://localhost") // dummy URL - we use the unix socket + socketProxy = httputil.NewSingleHostReverseProxy(socketURLDummy) socketProxy.Transport = &http.Transport{ DialContext: func(_ context.Context, _, _ string) (net.Conn, error) { return net.Dial("unix", cfg.SocketPath) @@ -125,7 +126,7 @@ func main() { } srv := &http.Server{ // #nosec G112 -- intentionally do not time out the client - Handler: http.HandlerFunc(handleHttpRequest), // #nosec G112 + Handler: http.HandlerFunc(handleHTTPRequest), // #nosec G112 } // #nosec G112 // start the server in a goroutine @@ -148,7 +149,6 @@ func main() { if cfg.AllowHealthcheck { go healthCheckServer(cfg.SocketPath) slog.Debug("healthcheck ready") - } // Wait for stop signal diff --git a/internal/config/config.go b/internal/config/config.go index 50f814b..7f5a2da 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -25,7 +25,7 @@ var ( defaultWatchdogInterval = uint(0) // watchdog interval in seconds (0 to disable) defaultStopOnWatchdog = false // set to true to stop the program when the socket gets unavailable (otherwise log only) defaultProxySocketEndpoint = "" // empty string means no socket listener, but regular TCP listener - defaultProxySocketEndpointFileMode = uint(0400) // set the file mode of the unix socket endpoint + defaultProxySocketEndpointFileMode = uint(0o400) // set the file mode of the unix socket endpoint ) type Config struct { @@ -180,13 +180,13 @@ func InitConfig() (*Config, error) { if rx.regexStringFromParam != "" { r, err := regexp.Compile("^" + rx.regexStringFromParam + "$") if err != nil { - return nil, fmt.Errorf("invalid regex \"%s\" for method %s in command line parameter: %s", rx.regexStringFromParam, rx.method, err) + return nil, fmt.Errorf("invalid regex \"%s\" for method %s in command line parameter: %w", rx.regexStringFromParam, rx.method, err) } cfg.AllowedRequests[rx.method] = r } else if rx.regexStringFromEnv != "" { r, err := regexp.Compile("^" + rx.regexStringFromEnv + "$") if err != nil { - return nil, fmt.Errorf("invalid regex \"%s\" for method %s in env variable: %s", rx.regexStringFromParam, rx.method, err) + return nil, fmt.Errorf("invalid regex \"%s\" for method %s in env variable: %w", rx.regexStringFromParam, rx.method, err) } cfg.AllowedRequests[rx.method] = r } From f9e26a0cb9da36edbbe364ec7e925c7d5444fe20 Mon Sep 17 00:00:00 2001 From: wollomatic Date: Sat, 21 Sep 2024 16:22:53 +0200 Subject: [PATCH 3/4] Update to Go 1.23.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0a2b175..279a7ed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM --platform=$BUILDPLATFORM golang:1.22.7-alpine3.20 AS build +FROM --platform=$BUILDPLATFORM golang:1.23.1-alpine3.20 AS build WORKDIR /application COPY . ./ ARG TARGETOS From 716f16497e90bcc62b79b07f56fea84a564ad6fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Wolfgang=20Ells=C3=A4sser?= Date: Wed, 2 Oct 2024 16:54:21 +0200 Subject: [PATCH 4/4] Go 1.23.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Wolfgang Ellsässer --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 279a7ed..ab4e939 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1 -FROM --platform=$BUILDPLATFORM golang:1.23.1-alpine3.20 AS build +FROM --platform=$BUILDPLATFORM golang:1.23.2-alpine3.20 AS build WORKDIR /application COPY . ./ ARG TARGETOS