Add L7 policies for user-agent blocking and required headers
Per-route HTTP-level blocking policies for L7 routes. Two rule types: block_user_agent (substring match against User-Agent, returns 403) and require_header (named header must be present, returns 403). Config: L7Policy struct with type/value fields, added as L7Policies slice on Route. Validated in config (type enum, non-empty value, warning if set on L4 routes). DB: Migration 4 creates l7_policies table with route_id FK (cascade delete), type CHECK constraint, UNIQUE(route_id, type, value). New l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy, GetRouteID. Seed updated to persist policies from config. L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates rules in order, returns 403 on first match, no-op if empty. Composed into the handler chain between context injection and reverse proxy. Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy mutation methods on ListenerState. handleL7 threads policies into l7.RouteConfig. Startup loads policies per L7 route from DB. Proto: L7Policy message, repeated l7_policies on Route. Three new RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the write-through pattern. Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy methods. CLI: mcproxyctl policies list/add/remove subcommands. Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match, header present/absent, multiple rules). 4 DB tests (CRUD, cascade, duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation). 2 end-to-end L7 tests (UA block, required header with allow/deny). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -19,6 +19,12 @@ import (
|
||||
"git.wntrmute.dev/kyle/mc-proxy/internal/sni"
|
||||
)
|
||||
|
||||
// L7PolicyRule is an L7 blocking policy attached to a route.
|
||||
type L7PolicyRule struct {
|
||||
Type string // "block_user_agent" or "require_header"
|
||||
Value string
|
||||
}
|
||||
|
||||
// RouteInfo holds the full configuration for a single route.
|
||||
type RouteInfo struct {
|
||||
Backend string
|
||||
@@ -27,6 +33,7 @@ type RouteInfo struct {
|
||||
TLSKey string
|
||||
BackendTLS bool
|
||||
SendProxyProtocol bool
|
||||
L7Policies []L7PolicyRule
|
||||
}
|
||||
|
||||
// ListenerState holds the mutable state for a single proxy listener.
|
||||
@@ -91,6 +98,40 @@ func (ls *ListenerState) RemoveRoute(hostname string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// AddL7Policy appends an L7 policy to a route's policy list.
|
||||
func (ls *ListenerState) AddL7Policy(hostname string, policy L7PolicyRule) {
|
||||
key := strings.ToLower(hostname)
|
||||
|
||||
ls.mu.Lock()
|
||||
defer ls.mu.Unlock()
|
||||
|
||||
if route, ok := ls.routes[key]; ok {
|
||||
route.L7Policies = append(route.L7Policies, policy)
|
||||
ls.routes[key] = route
|
||||
}
|
||||
}
|
||||
|
||||
// RemoveL7Policy removes an L7 policy from a route's policy list.
|
||||
func (ls *ListenerState) RemoveL7Policy(hostname, policyType, policyValue string) {
|
||||
key := strings.ToLower(hostname)
|
||||
|
||||
ls.mu.Lock()
|
||||
defer ls.mu.Unlock()
|
||||
|
||||
route, ok := ls.routes[key]
|
||||
if !ok {
|
||||
return
|
||||
}
|
||||
filtered := route.L7Policies[:0]
|
||||
for _, p := range route.L7Policies {
|
||||
if p.Type != policyType || p.Value != policyValue {
|
||||
filtered = append(filtered, p)
|
||||
}
|
||||
}
|
||||
route.L7Policies = filtered
|
||||
ls.routes[key] = route
|
||||
}
|
||||
|
||||
func (ls *ListenerState) lookupRoute(hostname string) (RouteInfo, bool) {
|
||||
ls.mu.RLock()
|
||||
defer ls.mu.RUnlock()
|
||||
@@ -362,6 +403,11 @@ func (s *Server) handleL4(ctx context.Context, conn net.Conn, addr netip.Addr, c
|
||||
func (s *Server) handleL7(ctx context.Context, conn net.Conn, addr netip.Addr, clientAddrPort netip.AddrPort, hostname string, route RouteInfo, peeked []byte) {
|
||||
s.logger.Debug("L7 proxying", "addr", addr, "hostname", hostname, "backend", route.Backend)
|
||||
|
||||
var policies []l7.PolicyRule
|
||||
for _, p := range route.L7Policies {
|
||||
policies = append(policies, l7.PolicyRule{Type: p.Type, Value: p.Value})
|
||||
}
|
||||
|
||||
rc := l7.RouteConfig{
|
||||
Backend: route.Backend,
|
||||
TLSCert: route.TLSCert,
|
||||
@@ -369,6 +415,7 @@ func (s *Server) handleL7(ctx context.Context, conn net.Conn, addr netip.Addr, c
|
||||
BackendTLS: route.BackendTLS,
|
||||
SendProxyProtocol: route.SendProxyProtocol,
|
||||
ConnectTimeout: s.cfg.Proxy.ConnectTimeout.Duration,
|
||||
Policies: policies,
|
||||
}
|
||||
|
||||
if err := l7.Serve(ctx, conn, peeked, rc, clientAddrPort, s.logger); err != nil {
|
||||
|
||||
Reference in New Issue
Block a user