directxman12.dev
commits
this reworks how claim-headers are serialized -- previously, they were
spit out as json, now you choose how to join compound types with config,
and scalars are spit out in their "raw" form (i.e. just like their json
serialized form, but with strings being unquoted). null values are
skipped, and cause equivalent map-items to be skipped.
ketama hashing skips uds backends cause it can't handle it, so
choose roundrobin at service launch if uds backends are in play for a
domain.
this should clear up some of the header map iteration order issues --
they're still there (gotta patch pingora, _grumbles_), but you'll run
into them less.
now try to merge all settings with the corresponding defaults, instead
of using the settings wholesale, since zero-values are not what we want
as defaults for stuff like `threads`.
this adds options to either
a) skip verifying certs on self-signed backends, or
b) supply a custom ca
whoof pingora's rusttls typing is... iffy. had to do another patch
there.
this should unlock deployment.
unfortunately, since the [upstream
issue](https://github.com/cloudflare/pingora/issues/594) has yet to be
resolved, i had to use a custom fork based on someone's [WIP
PR](https://github.com/cloudflare/pingora/issues/599). thankfully,
it's a pretty simple change, as the capability is mostly already built
in to rustls.
this implements login, logout, claim-to-header proxying, and header
stripping.
the whole domain is protected for a given domain -- there's no partial
coverage yet
- proxying _from_ http and https should be working
- proxying _to_ http, https, and uds should be working
- load-balancing by client address for http & https downstreams should
be working
- downstream uds _technically_ should work, but load balancing will be
broken due to not having a good load balancing key
- https-only mode works
(i think -- i've only tested with http --> http)
NB: we currently rely on the `Host` header to match requests to
upstreams. pingora doesn't seem to check that `Host` matches SNI,
so we're currently vulnerable to host-sni mismatch attacks. not a huge
deal for personal use, but worth fixing. we'll need to switch to
boringssl for that, cause pingora doesn't surface the requisite hooks
for rustls.
both uds and tcp support, but no support for advanced tcp options
putting my money (so to speak) where my mouth is on a recent rant about
how textproto is good, actually ;-)
this reworks how claim-headers are serialized -- previously, they were
spit out as json, now you choose how to join compound types with config,
and scalars are spit out in their "raw" form (i.e. just like their json
serialized form, but with strings being unquoted). null values are
skipped, and cause equivalent map-items to be skipped.
this should unlock deployment.
unfortunately, since the [upstream
issue](https://github.com/cloudflare/pingora/issues/594) has yet to be
resolved, i had to use a custom fork based on someone's [WIP
PR](https://github.com/cloudflare/pingora/issues/599). thankfully,
it's a pretty simple change, as the capability is mostly already built
in to rustls.
this implements login, logout, claim-to-header proxying, and header
stripping.
the whole domain is protected for a given domain -- there's no partial
coverage yet
- proxying _from_ http and https should be working
- proxying _to_ http, https, and uds should be working
- load-balancing by client address for http & https downstreams should
be working
- downstream uds _technically_ should work, but load balancing will be
broken due to not having a good load balancing key
- https-only mode works
(i think -- i've only tested with http --> http)
NB: we currently rely on the `Host` header to match requests to
upstreams. pingora doesn't seem to check that `Host` matches SNI,
so we're currently vulnerable to host-sni mismatch attacks. not a huge
deal for personal use, but worth fixing. we'll need to switch to
boringssl for that, cause pingora doesn't surface the requisite hooks
for rustls.