Skip to content

Channels: HTTP proxy with observability for Lightning#4419

Merged
stuartc merged 17 commits intomainfrom
channels
Mar 19, 2026
Merged

Channels: HTTP proxy with observability for Lightning#4419
stuartc merged 17 commits intomainfrom
channels

Conversation

@stuartc
Copy link
Member

@stuartc stuartc commented Feb 11, 2026
edited
Loading

Summary

Channels adds lightweight reverse-proxy functionality with observability to Lightning. Deploy a Channel between two systems and get instant visibility into requests and responses, with full audit trail.

  • Source: Authenticates inbound requests (API key / Basic Auth via project credentials)
  • Sink: Forwards to target system with credential injection
  • Observability: Every proxied request logged with headers, body preview, SHA256 hash, timing
  • Snapshots: Channel config captured at request time for auditable history

Streaming proxy powered by philter — constant memory regardless of payload size.

Closes #4322 | Go-live target: 26 Feb 2026

Stories

Phase 1 — Foundation

Phase 2 — Core Proxy

Phase 3 — Observability

Phase 4 — UI

Phase 5 — Performance Confidence

Dependency Graph

#4399 Schema ──┬──→ #4401 Proxy ──→ #4403 Source auth
               │       │           #4404 Sink auth (parallel)
               │       │
               ├───────┤──→ #4405 Observer ──→ #4406 Snapshots
               │       │
               ├──→ #4400 Audit trail
               ├──→ #4407 Channel UI
               └───────┴──→ #4408 History page

#4409 Mock sink ──┐
                  ├──→ #4410 K6 load tests
#4401 Proxy ──────┘

@github-project-automation github-project-automation bot moved this to New Issues in Core Feb 11, 2026
@codecov
Copy link

codecov bot commented Feb 11, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 91.51235% with 55 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.55%. Comparing base (bdec4c8) to head (60b287a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
lib/lightning_web/live/channel_live/index.ex 90.22% 13 Missing ⚠️
lib/lightning_web/plugs/channel_proxy_plug.ex 87.12% 13 Missing ⚠️
lib/lightning/channels/handler.ex 83.63% 9 Missing ⚠️
...htning_web/live/run_live/channel_logs_component.ex 88.70% 7 Missing ⚠️
lib/lightning/channels.ex 91.04% 6 Missing ⚠️
lib/lightning_web/live/run_live/index.ex 33.33% 4 Missing ⚠️
.../lightning_web/live/channel_live/form_component.ex 97.84% 2 Missing ⚠️
lib/lightning_web/live/channel_live/helpers.ex 94.44% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4419      +/-   ##
==========================================
+ Coverage   89.49%   89.55%   +0.06%     
==========================================
  Files         425      441      +16     
  Lines       20373    20993     +620     
==========================================
+ Hits        18232    18800     +568     
- Misses       2141     2193      +52

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@stuartc stuartc marked this pull request as ready for review March 6, 2026 19:46
stuartc and others added 13 commits March 10, 2026 14:49
@stuartc
Copy link
Member Author

stuartc commented Mar 11, 2026
edited
Loading

We've found a critical bug in the philter proxy library. It incorrectly folds in the host header into outgoing request. While this is 'fixable' in Lightning, the proxy library has no business blindly merging host and other headers in like this.

The effect is that any site that has more than one domain/site being served (i.e. most servers) will reject the request because the host/site requested gets set as whatever the host for Lightning is.

A fix is underway.

stuartc added 4 commits March 11, 2026 16:13
@stuartc
Refactor channel proxy to use Philter's extra_headers/strip_headers
785589b 
Replace manual conn.req_headers mutation (Headers module) with Philter's
purpose-built API. This fixes a security issue where source authentication
headers (x-api-key for API auth, authorization for Basic auth) leaked
through to the upstream sink.

- Delete inner Headers module that mutated conn.req_headers
- Add build_extra_headers/2 for proxy headers (x-forwarded-*, x-request-id, sink auth)
- Add build_strip_headers/1 to remove source auth headers before forwarding
- Add source_auth_types to SinkRequest struct, populated from channel config
- Bump Philter to 0.2.0 for extra_headers/strip_headers support
- Add 5 new tests: host rewrite regression, source auth stripping, passthrough
@stuartc
Update philter to 0.2.1
6671004
@stuartc
Merge remote-tracking branch 'origin/main' into channels
e9d5087 
# Conflicts:
#	CHANGELOG.md
#	lib/lightning/runs/queue.ex
#	test/lightning/runs/queue_test.exs
@stuartc
Remove orphaned Headers test file
60b287a 
The Headers module was extracted into Philter during the refactor,
but this test file was left behind referencing the deleted module.
@stuartc stuartc merged commit 98bb4dd into main Mar 19, 2026
8 checks passed
@stuartc stuartc deleted the channels branch March 19, 2026 13:56
@github-project-automation github-project-automation bot moved this from New Issues to Done in Core Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Core
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Channels v0.1

2 participants

@stuartc @midigofrank