Support {s3,web}.root_domains for the Caddy on-demand TLS endpoint (<admin>/check?domain=xx) #610
5 changed files with 156 additions and 35 deletions
|
@ -428,3 +428,6 @@ https:// {
|
||||||
reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
|
reverse_proxy localhost:3902 192.168.1.2:3902 example.tld:3902
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
More information on how this endpoint is implemented in Garage is available
|
||||||
|
in the [Admin API Reference](@/documentation/reference-manual/admin-api.md) page.
|
||||||
|
|
|
@ -39,11 +39,95 @@ Authorization: Bearer <token>
|
||||||
|
|
||||||
## Administration API endpoints
|
## Administration API endpoints
|
||||||
|
|
||||||
### Metrics-related endpoints
|
### Metrics `GET /metrics`
|
||||||
|
|
||||||
#### Metrics `GET /metrics`
|
|
||||||
|
|
||||||
Returns internal Garage metrics in Prometheus format.
|
Returns internal Garage metrics in Prometheus format.
|
||||||
|
The metrics are directly documented when returned by the API.
|
||||||
|
|
||||||
|
**Example:**
|
||||||
|
|
||||||
|
```
|
||||||
|
$ curl -i http://localhost:3903/metrics
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
content-type: text/plain; version=0.0.4
|
||||||
|
content-length: 12145
|
||||||
|
date: Tue, 08 Aug 2023 07:25:05 GMT
|
||||||
|
|
||||||
|
# HELP api_admin_error_counter Number of API calls to the various Admin API endpoints that resulted in errors
|
||||||
|
# TYPE api_admin_error_counter counter
|
||||||
|
api_admin_error_counter{api_endpoint="CheckWebsiteEnabled",status_code="400"} 1
|
||||||
|
api_admin_error_counter{api_endpoint="CheckWebsiteEnabled",status_code="404"} 3
|
||||||
|
# HELP api_admin_request_counter Number of API calls to the various Admin API endpoints
|
||||||
|
# TYPE api_admin_request_counter counter
|
||||||
|
api_admin_request_counter{api_endpoint="CheckWebsiteEnabled"} 7
|
||||||
|
api_admin_request_counter{api_endpoint="Health"} 3
|
||||||
|
# HELP api_admin_request_duration Duration of API calls to the various Admin API endpoints
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
### Health `GET /health`
|
||||||
|
|
||||||
|
Returns `200 OK` if enough nodes are up to have a quorum (ie. serve requests),
|
||||||
|
otherwise returns `503 Service Unavailable`.
|
||||||
|
|
||||||
|
**Example:**
|
||||||
|
|
||||||
|
```
|
||||||
|
$ curl -i http://localhost:3903/health
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
content-type: text/plain
|
||||||
|
content-length: 102
|
||||||
|
date: Tue, 08 Aug 2023 07:22:38 GMT
|
||||||
|
|
||||||
|
Garage is fully operational
|
||||||
|
Consult the full health check API endpoint at /v0/health for more details
|
||||||
|
```
|
||||||
|
|
||||||
|
### On-demand TLS `GET /check`
|
||||||
|
|
||||||
|
To prevent abuses for on-demand TLS, Caddy developpers have specified an endpoint that can be queried by the reverse proxy
|
||||||
|
to know if a given domain is allowed to get a certificate. Garage implements this endpoints to tell if a given domain is handled by Garage or is garbage.
|
||||||
|
|
||||||
|
Garage responds with the following logic:
|
||||||
|
- If the domain matches the pattern `<bucket-name>.<s3_api.root_domain>`, returns 200 OK
|
||||||
|
- If the domain matches the pattern `<bucket-name>.<s3_web.root_domain>` and website is configured for `<bucket>`, returns 200 OK
|
||||||
|
- If the domain matches the pattern `<bucket-name>` and website is configured for `<bucket>`, returns 200 OK
|
||||||
|
- Otherwise, returns 404 Not Found, 400 Bad Request or 5xx requests.
|
||||||
|
|
||||||
|
*Note 1: because in the path-style URL mode, there is only one domain that is not known by Garage, hence it is not supported by this API endpoint.
|
||||||
|
You must manually declare the domain in your reverse-proxy. Idem for K2V.*
|
||||||
|
|||||||
|
|
||||||
|
*Note 2: buckets in a user's namespace are not supported yet by this endpoint. This is a limitation of this endpoint currently.*
|
||||||
|
|
||||||
|
**Example:** Suppose a Garage instance configured with `s3_api.root_domain = .s3.garage.localhost` and `s3_web.root_domain = .web.garage.localhost`.
|
||||||
|
|
||||||
|
With a private `media` bucket (name in the global namespace, website is disabled), the endpoint will feature the following behavior:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=media.s3.garage.localhost
|
||||||
|
200
|
||||||
|
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=media
|
||||||
|
400
|
||||||
|
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=media.web.garage.localhost
|
||||||
|
400
|
||||||
|
```
|
||||||
|
|
||||||
|
With a public `example.com` bucket (name in the global namespace, website is activated), the endpoint will feature the following behavior:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=example.com.s3.garage.localhost
|
||||||
|
200
|
||||||
|
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=example.com
|
||||||
|
200
|
||||||
|
$ curl -so /dev/null -w "%{http_code}" http://localhost:3903/check?domain=example.com.web.garage.localhost
|
||||||
|
200
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
**References:**
|
||||||
|
- [Using On-Demand TLS](https://caddyserver.com/docs/automatic-https#using-on-demand-tls)
|
||||||
|
- [Add option for a backend check to approve use of on-demand TLS](https://github.com/caddyserver/caddy/pull/1939)
|
||||||
|
- [Serving tens of thousands of domains over HTTPS with Caddy](https://caddy.community/t/serving-tens-of-thousands-of-domains-over-https-with-caddy/11179)
|
||||||
|
|
||||||
### Cluster operations
|
### Cluster operations
|
||||||
|
|
||||||
|
|
|
@ -26,6 +26,7 @@ use crate::admin::cluster::*;
|
||||||
use crate::admin::error::*;
|
use crate::admin::error::*;
|
||||||
use crate::admin::key::*;
|
use crate::admin::key::*;
|
||||||
use crate::admin::router::{Authorization, Endpoint};
|
use crate::admin::router::{Authorization, Endpoint};
|
||||||
|
use crate::helpers::host_to_bucket;
|
||||||
|
|
||||||
pub struct AdminApiServer {
|
pub struct AdminApiServer {
|
||||||
garage: Arc<Garage>,
|
garage: Arc<Garage>,
|
||||||
|
@ -78,10 +79,7 @@ impl AdminApiServer {
|
||||||
.body(Body::empty())?)
|
.body(Body::empty())?)
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn handle_check_website_enabled(
|
async fn handle_check_domain(&self, req: Request<Body>) -> Result<Response<Body>, Error> {
|
||||||
&self,
|
|
||||||
req: Request<Body>,
|
|
||||||
) -> Result<Response<Body>, Error> {
|
|
||||||
let query_params: HashMap<String, String> = req
|
let query_params: HashMap<String, String> = req
|
||||||
.uri()
|
.uri()
|
||||||
.query()
|
.query()
|
||||||
|
@ -102,12 +100,43 @@ impl AdminApiServer {
|
||||||
.get("domain")
|
.get("domain")
|
||||||
.ok_or_internal_error("Could not parse domain query string")?;
|
.ok_or_internal_error("Could not parse domain query string")?;
|
||||||
|
|
||||||
|
// Resolve bucket from domain name, inferring if the website must be activated for the
|
||||||
|
// domain to be valid.
|
||||||
|
let (bucket_name, must_check_website) = if let Some(bname) = self
|
||||||
|
.garage
|
||||||
|
.config
|
||||||
|
.s3_api
|
||||||
|
.root_domain
|
||||||
|
.as_ref()
|
||||||
|
.and_then(|rd| host_to_bucket(domain, rd))
|
||||||
|
{
|
||||||
|
(bname.to_string(), false)
|
||||||
|
} else if let Some(bname) = self
|
||||||
|
.garage
|
||||||
|
.config
|
||||||
|
.s3_web
|
||||||
|
.as_ref()
|
||||||
|
.and_then(|sw| host_to_bucket(domain, sw.root_domain.as_str()))
|
||||||
|
{
|
||||||
|
(bname.to_string(), true)
|
||||||
|
} else {
|
||||||
|
(domain.to_string(), true)
|
||||||
|
};
|
||||||
|
|
||||||
let bucket_id = self
|
let bucket_id = self
|
||||||
.garage
|
.garage
|
||||||
.bucket_helper()
|
.bucket_helper()
|
||||||
.resolve_global_bucket_name(domain)
|
.resolve_global_bucket_name(&bucket_name)
|
||||||
.await?
|
.await?
|
||||||
.ok_or(HelperError::NoSuchBucket(domain.to_string()))?;
|
.ok_or(HelperError::NoSuchBucket(bucket_name.to_string()))?;
|
||||||
|
|
||||||
|
if !must_check_website {
|
||||||
|
return Ok(Response::builder()
|
||||||
|
.status(StatusCode::OK)
|
||||||
|
.body(Body::from(format!(
|
||||||
|
"Domain '{domain}' is managed by Garage"
|
||||||
|
)))?);
|
||||||
|
}
|
||||||
|
|
||||||
let bucket = self
|
let bucket = self
|
||||||
.garage
|
.garage
|
||||||
|
@ -123,11 +152,11 @@ impl AdminApiServer {
|
||||||
Ok(Response::builder()
|
Ok(Response::builder()
|
||||||
.status(StatusCode::OK)
|
.status(StatusCode::OK)
|
||||||
.body(Body::from(format!(
|
.body(Body::from(format!(
|
||||||
"Bucket '{domain}' is authorized for website hosting"
|
"Domain '{domain}' is managed by Garage"
|
||||||
)))?)
|
)))?)
|
||||||
}
|
}
|
||||||
None => Err(Error::bad_request(format!(
|
None => Err(Error::bad_request(format!(
|
||||||
"Bucket '{domain}' is not authorized for website hosting"
|
"Domain '{domain}' is not managed by Garage"
|
||||||
))),
|
))),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -229,7 +258,7 @@ impl ApiHandler for AdminApiServer {
|
||||||
|
|
||||||
match endpoint {
|
match endpoint {
|
||||||
Endpoint::Options => self.handle_options(&req),
|
Endpoint::Options => self.handle_options(&req),
|
||||||
Endpoint::CheckWebsiteEnabled => self.handle_check_website_enabled(req).await,
|
Endpoint::CheckDomain => self.handle_check_domain(req).await,
|
||||||
Endpoint::Health => self.handle_health(),
|
Endpoint::Health => self.handle_health(),
|
||||||
Endpoint::Metrics => self.handle_metrics(),
|
Endpoint::Metrics => self.handle_metrics(),
|
||||||
Endpoint::GetClusterStatus => handle_get_cluster_status(&self.garage).await,
|
Endpoint::GetClusterStatus => handle_get_cluster_status(&self.garage).await,
|
||||||
|
|
|
@ -17,7 +17,7 @@ router_match! {@func
|
||||||
#[derive(Debug, Clone, PartialEq, Eq)]
|
#[derive(Debug, Clone, PartialEq, Eq)]
|
||||||
pub enum Endpoint {
|
pub enum Endpoint {
|
||||||
Options,
|
Options,
|
||||||
CheckWebsiteEnabled,
|
CheckDomain,
|
||||||
Health,
|
Health,
|
||||||
Metrics,
|
Metrics,
|
||||||
GetClusterStatus,
|
GetClusterStatus,
|
||||||
|
@ -92,7 +92,7 @@ impl Endpoint {
|
||||||
|
|
||||||
let res = router_match!(@gen_path_parser (req.method(), path, query) [
|
let res = router_match!(@gen_path_parser (req.method(), path, query) [
|
||||||
OPTIONS _ => Options,
|
OPTIONS _ => Options,
|
||||||
GET "/check" => CheckWebsiteEnabled,
|
GET "/check" => CheckDomain,
|
||||||
GET "/health" => Health,
|
GET "/health" => Health,
|
||||||
GET "/metrics" => Metrics,
|
GET "/metrics" => Metrics,
|
||||||
GET "/v0/status" => GetClusterStatus,
|
GET "/v0/status" => GetClusterStatus,
|
||||||
|
@ -138,7 +138,7 @@ impl Endpoint {
|
||||||
pub fn authorization_type(&self) -> Authorization {
|
pub fn authorization_type(&self) -> Authorization {
|
||||||
match self {
|
match self {
|
||||||
Self::Health => Authorization::None,
|
Self::Health => Authorization::None,
|
||||||
Self::CheckWebsiteEnabled => Authorization::None,
|
Self::CheckDomain => Authorization::None,
|
||||||
Self::Metrics => Authorization::MetricsToken,
|
Self::Metrics => Authorization::MetricsToken,
|
||||||
_ => Authorization::AdminToken,
|
_ => Authorization::AdminToken,
|
||||||
}
|
}
|
||||||
|
|
|
@ -72,7 +72,7 @@ async fn test_website() {
|
||||||
res_body,
|
res_body,
|
||||||
json!({
|
json!({
|
||||||
"code": "InvalidRequest",
|
"code": "InvalidRequest",
|
||||||
"message": "Bad request: Bucket 'my-website' is not authorized for website hosting",
|
"message": "Bad request: Domain 'my-website' is not managed by Garage",
|
||||||
"region": "garage-integ-test",
|
"region": "garage-integ-test",
|
||||||
"path": "/check",
|
"path": "/check",
|
||||||
})
|
})
|
||||||
|
@ -91,13 +91,17 @@ async fn test_website() {
|
||||||
BODY.as_ref()
|
BODY.as_ref()
|
||||||
);
|
);
|
||||||
|
|
||||||
|
for bname in [
|
||||||
|
BCKT_NAME.to_string(),
|
||||||
|
format!("{BCKT_NAME}.web.garage"),
|
||||||
|
format!("{BCKT_NAME}.s3.garage"),
|
||||||
|
] {
|
||||||
let admin_req = || {
|
let admin_req = || {
|
||||||
Request::builder()
|
Request::builder()
|
||||||
.method("GET")
|
.method("GET")
|
||||||
.uri(format!(
|
.uri(format!(
|
||||||
"http://127.0.0.1:{0}/check?domain={1}",
|
"http://127.0.0.1:{0}/check?domain={1}",
|
||||||
ctx.garage.admin_port,
|
ctx.garage.admin_port, bname
|
||||||
BCKT_NAME.to_string()
|
|
||||||
))
|
))
|
||||||
.body(Body::empty())
|
.body(Body::empty())
|
||||||
.unwrap()
|
.unwrap()
|
||||||
|
@ -107,8 +111,9 @@ async fn test_website() {
|
||||||
assert_eq!(admin_resp.status(), StatusCode::OK);
|
assert_eq!(admin_resp.status(), StatusCode::OK);
|
||||||
assert_eq!(
|
assert_eq!(
|
||||||
to_bytes(admin_resp.body_mut()).await.unwrap().as_ref(),
|
to_bytes(admin_resp.body_mut()).await.unwrap().as_ref(),
|
||||||
format!("Bucket '{BCKT_NAME}' is authorized for website hosting").as_bytes()
|
format!("Domain '{bname}' is managed by Garage").as_bytes()
|
||||||
);
|
);
|
||||||
|
}
|
||||||
|
|
||||||
ctx.garage
|
ctx.garage
|
||||||
.command()
|
.command()
|
||||||
|
@ -142,7 +147,7 @@ async fn test_website() {
|
||||||
res_body,
|
res_body,
|
||||||
json!({
|
json!({
|
||||||
"code": "InvalidRequest",
|
"code": "InvalidRequest",
|
||||||
"message": "Bad request: Bucket 'my-website' is not authorized for website hosting",
|
"message": "Bad request: Domain 'my-website' is not managed by Garage",
|
||||||
"region": "garage-integ-test",
|
"region": "garage-integ-test",
|
||||||
"path": "/check",
|
"path": "/check",
|
||||||
})
|
})
|
||||||
|
@ -397,7 +402,7 @@ async fn test_website_s3_api() {
|
||||||
}
|
}
|
||||||
|
|
||||||
#[tokio::test]
|
#[tokio::test]
|
||||||
async fn test_website_check_website_enabled() {
|
async fn test_website_check_domain() {
|
||||||
let ctx = common::context();
|
let ctx = common::context();
|
||||||
|
|
||||||
let client = Client::new();
|
let client = Client::new();
|
||||||
|
|
Loading…
Reference in a new issue
This is not an English word - suggest replacing with "Similarly".