Ilia Denisov
27916bbe61
Tests · Go / test (push) Successful in 2m0s
Add the server-rendered operator console at /_gm, exposed publicly through the gateway behind the existing admin_accounts Basic Auth. Backend: - new internal/adminconsole package (html/template Renderer, stateless HMAC CSRF signer, embedded stylesheet) - /_gm route group reusing basicauth.Middleware(admin.Service) + a CSRF guard (per-operator token + same-origin check); dashboard landing page - BACKEND_ADMIN_CONSOLE_CSRF_KEY config (per-process random fallback) Gateway: - new "admin" public route class (per-IP rate limit, body + GET/HEAD/POST method limits) classifying /_gm traffic - reverse proxy to the backend /_gm surface, preserving Host and relaying the backend 401 Basic Auth challenge; 502 when the backend is unreachable - GATEWAY_PUBLIC_HTTP_ANTI_ABUSE_ADMIN_* config dev-deploy: - Caddy routes /_gm/* to the gateway - bootstrap admin + stable CSRF key; enable Prometheus /metrics exporters on backend and gateway (forward-compat for a future Prometheus/Grafana stack) Docs: ARCHITECTURE 14.1/16, FUNCTIONAL 10.2.1 (+ru mirror), backend and gateway READMEs, new backend/docs/admin-console.md. Tests: renderer + CSRF unit tests; backend router auth/render/asset/CSRF; gateway classifier, proxy forwarding/Host/401/405/413/429/502.
50 lines
1.7 KiB
Go
50 lines
1.7 KiB
Go
package restapi
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
// NewBackendConsoleProxy builds the reverse proxy that forwards operator
|
|
// console traffic (`/_gm` and `/_gm/*`) to the backend at backendBaseURL.
|
|
//
|
|
// The proxy is intentionally thin: it preserves the inbound request path and
|
|
// the inbound Host header — the latter so the backend's same-origin CSRF check
|
|
// observes the public host rather than the internal upstream — and relays the
|
|
// backend response unchanged, including its 401 Basic Auth challenge. It
|
|
// answers 502 when the backend is unreachable. Authentication, rendering, and
|
|
// every state change live in the backend; the gateway contributes only the
|
|
// public anti-abuse layer that runs ahead of this handler.
|
|
func NewBackendConsoleProxy(backendBaseURL string, logger *zap.Logger) (http.Handler, error) {
|
|
target, err := url.Parse(backendBaseURL)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("parse backend base URL %q: %w", backendBaseURL, err)
|
|
}
|
|
if target.Scheme == "" || target.Host == "" {
|
|
return nil, fmt.Errorf("backend base URL %q must be absolute", backendBaseURL)
|
|
}
|
|
|
|
if logger == nil {
|
|
logger = zap.NewNop()
|
|
}
|
|
logger = logger.Named("admin_console_proxy")
|
|
|
|
return &httputil.ReverseProxy{
|
|
Rewrite: func(pr *httputil.ProxyRequest) {
|
|
pr.SetURL(target)
|
|
// SetURL clears Out.Host so the target host is used; restore the
|
|
// inbound Host so the backend sees the public origin.
|
|
pr.Out.Host = pr.In.Host
|
|
},
|
|
ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
|
|
logger.Warn("admin console upstream error",
|
|
zap.String("path", r.URL.Path), zap.Error(err))
|
|
w.WriteHeader(http.StatusBadGateway)
|
|
},
|
|
}, nil
|
|
}
|