-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathmain.go
More file actions
119 lines (100 loc) · 3.31 KB
/
main.go
File metadata and controls
119 lines (100 loc) · 3.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
package main
import (
"context"
"flag"
"fmt"
"net"
"net/http"
"net/http/httputil"
"os"
"os/signal"
"syscall"
"github.com/cego/caddy-docker-api-auth/internal"
"github.com/cego/caddy-docker-api-auth/internal/guards"
"github.com/moby/moby/client"
"go.uber.org/zap"
)
func main() {
aclFile := flag.String("acl", "", "path to ACL YAML file")
listen := flag.String("listen", ":3004", "listen address")
dockerSocket := flag.String("docker-socket", "/var/run/docker.sock", "path to Docker socket")
flag.Parse()
if *aclFile == "" {
fmt.Fprintln(os.Stderr, "error: --acl flag is required")
flag.Usage()
os.Exit(1)
}
logger, _ := zap.NewProduction()
defer func() { _ = logger.Sync() }()
acl := internal.NewACL(*aclFile)
dockerApi, err := client.NewClientWithOpts(
client.WithHost("unix://"+*dockerSocket),
client.WithAPIVersionNegotiation(),
)
if err != nil {
logger.Fatal("failed to create docker client", zap.Error(err))
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
servicesEditGuard := guards.NewServicesEdit(ctx, logger, acl, dockerApi)
proxy := &httputil.ReverseProxy{
Director: func(req *http.Request) {
req.URL.Scheme = "http"
req.URL.Host = "docker"
},
Transport: &http.Transport{
DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
return net.Dial("unix", *dockerSocket)
},
},
ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
logger.Error("proxy error", zap.String("method", r.Method), zap.String("path", r.URL.Path), zap.Error(err))
http.Error(w, err.Error(), http.StatusBadGateway)
},
}
handler := requestLogger(logger, authMiddleware(logger, acl, servicesEditGuard, proxy))
server := &http.Server{
Addr: *listen,
Handler: handler,
}
go func() {
sigCh := make(chan os.Signal, 1)
signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
<-sigCh
logger.Info("shutting down")
_ = server.Close()
}()
logger.Info("starting server", zap.String("listen", *listen), zap.String("docker-socket", *dockerSocket))
if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
logger.Fatal("server error", zap.Error(err))
}
}
func requestLogger(logger *zap.Logger, next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
logger.Info("request", zap.String("method", r.Method), zap.String("path", r.URL.Path), zap.String("upgrade", r.Header.Get("Upgrade")))
next.ServeHTTP(w, r)
})
}
func authMiddleware(logger *zap.Logger, acl *internal.ACL, servicesEditGuard *guards.ServicesEdit, next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
username := r.Header.Get("X-Docker-Auth-Username")
password := r.Header.Get("X-Docker-Auth-Password")
if username == "" || password == "" {
msg := "X-Docker-Auth-Username or X-Docker-Auth-Password is empty or unspecified"
logger.Error(msg)
http.Error(w, msg, http.StatusUnauthorized)
return
}
if !acl.VerifyUser(username, password) {
msg := "Could not verify username/password for username '" + username + "'"
logger.Error(msg)
http.Error(w, msg, http.StatusUnauthorized)
return
}
if servicesEditGuard.Matches(r.URL.Path) {
servicesEditGuard.ServeHTTP(w, r, next, username)
return
}
next.ServeHTTP(w, r)
})
}