mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42c7fffc3e255fde7f96659189e115844e743fa5
mc-proxy/PROGRESS.md
Kyle Isom 42c7fffc3e Add L7 policies for user-agent blocking and required headers 
Per-route HTTP-level blocking policies for L7 routes. Two rule types:
block_user_agent (substring match against User-Agent, returns 403)
and require_header (named header must be present, returns 403).

Config: L7Policy struct with type/value fields, added as L7Policies
slice on Route. Validated in config (type enum, non-empty value,
warning if set on L4 routes).

DB: Migration 4 creates l7_policies table with route_id FK (cascade
delete), type CHECK constraint, UNIQUE(route_id, type, value). New
l7policies.go with ListL7Policies, CreateL7Policy, DeleteL7Policy,
GetRouteID. Seed updated to persist policies from config.

L7 middleware: PolicyMiddleware in internal/l7/policy.go evaluates
rules in order, returns 403 on first match, no-op if empty. Composed
into the handler chain between context injection and reverse proxy.

Server: L7PolicyRule type on RouteInfo with AddL7Policy/RemoveL7Policy
mutation methods on ListenerState. handleL7 threads policies into
l7.RouteConfig. Startup loads policies per L7 route from DB.

Proto: L7Policy message, repeated l7_policies on Route. Three new
RPCs: ListL7Policies, AddL7Policy, RemoveL7Policy. All follow the
write-through pattern.

Client: L7Policy type, ListL7Policies/AddL7Policy/RemoveL7Policy
methods. CLI: mcproxyctl policies list/add/remove subcommands.

Tests: 6 PolicyMiddleware unit tests (no policies, UA match/no-match,
header present/absent, multiple rules). 4 DB tests (CRUD, cascade,
duplicate, GetRouteID). 3 gRPC tests (add+list, remove, validation).
2 end-to-end L7 tests (UA block, required header with allow/deny).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:11:05 -07:00

91 lines
4.1 KiB
Markdown
Raw Blame History

# PROGRESS.md
Tracks implementation status against PROJECT_PLAN.md. Updated as work
proceeds. Each item is marked:
- `[ ]` not started
- `[~]` in progress
- `[x]` complete
- `[—]` skipped (with reason)
---
## Phase 1: Database & Config Foundation
- [x] 1.1 Config struct updates (`Listener.ProxyProtocol`, `Route.Mode/TLSCert/TLSKey/BackendTLS/SendProxyProtocol`)
- [x] 1.2 Config validation updates (L7 requires cert/key, mode enum, cert/key pair loading)
- [x] 1.3 Database migration v2 (new columns on `listeners` and `routes`)
- [x] 1.4 DB struct and CRUD updates (new fields in `Listener`, `Route`, all queries)
- [x] 1.5 Server data loading (`RouteInfo` struct replaces bare backend string in route lookup)
- [x] 1.6 Tests (config, DB migration, CRUD, server unchanged)
## Phase 2: PROXY Protocol
- [x] 2.1 `internal/proxyproto/` package (v1/v2 parser, v2 writer)
- [x] 2.2 Server integration — receive (parse PROXY header before firewall on enabled listeners)
- [x] 2.3 Server integration — send on L4 (write PROXY v2 header before ClientHello on enabled routes)
- [x] 2.4 Tests (receive, send, firewall uses real IP, malformed header rejection)
## Phase 3: L7 Proxying
- [x] 3.1 `internal/l7/` package (`PrefixConn`, HTTP/2 reverse proxy with h2c, `Serve` entry point)
- [x] 3.2 Server integration (dispatch to L4 or L7 based on `route.Mode` in `handleConn`)
- [x] 3.3 PROXY protocol sending in L7 path
- [x] 3.4 Tests (TLS termination, h2c backend, re-encrypt, mixed L4/L7 listener, gRPC through L7)
## Phase 4: gRPC API & CLI Updates
- [x] 4.1 Proto updates (new fields on `Route`, `AddRouteRequest`, `ListenerStatus`)
- [x] 4.2 gRPC server updates (accept/validate/persist new route fields)
- [x] 4.3 Client package updates (new fields on `Route`, `ListenerStatus`)
- [x] 4.4 mcproxyctl updates (flags for `routes add`, display in `routes list`)
- [x] 4.5 Tests (gRPC round-trip with new fields, backward compatibility)
## Phase 5: Integration & Polish
- [x] 5.1 Dev config update (`srv/mc-proxy.toml` with L7 route example)
- [x] 5.2 Multi-hop integration test (edge→origin via PROXY protocol)
- [x] 5.3 gRPC-through-L7 validation (trailer propagation, large responses)
- [x] 5.4 Web UI through L7 validation (HTTP/1.1 fallback, HTTP/2)
- [x] 5.5 Documentation (verified ARCHITECTURE.md, CLAUDE.md, Makefile)
## Phase 6: Per-Listener Connection Limits
- [x] 6.1 Config: `MaxConnections` on Listener, validation
- [x] 6.2 DB: migration 3, CRUD updates, `UpdateListenerMaxConns`
- [x] 6.3 Server: limit enforcement in `serve()`, `SetMaxConnections` method
- [x] 6.4 Proto/gRPC: `SetListenerMaxConnections` RPC, `max_connections` in status
- [x] 6.5 Client: `SetListenerMaxConnections` method, `MaxConnections` in status
- [x] 6.6 Tests: DB CRUD, server limit enforcement, gRPC round-trip
## Phase 7: L7 Policies
- [x] 7.1 Config: `L7Policy` struct, `L7Policies` on Route, validation
- [x] 7.2 DB: migration 4, `l7_policies` table, CRUD in `l7policies.go`
- [x] 7.3 L7 middleware: `PolicyMiddleware` in `internal/l7/policy.go`
- [x] 7.4 Server/L7 integration: thread policies from RouteInfo to RouteConfig
- [x] 7.5 Proto/gRPC: `L7Policy` message, policy management RPCs
- [x] 7.6 Client/CLI: policy methods, `mcproxyctl policies` subcommand
- [x] 7.7 Startup: load L7 policies per route in `loadListenersFromDB`
- [x] 7.8 Tests: middleware unit, DB CRUD + cascade, gRPC round-trip, e2e
## Phase 8: Prometheus Metrics
- [ ] 8.1 Dependency: add `prometheus/client_golang`
- [ ] 8.2 Config: `Metrics` section (`addr`, `path`)
- [ ] 8.3 Package: `internal/metrics/` definitions and HTTP server
- [ ] 8.4 Instrumentation: connections, firewall, dial latency, bytes, HTTP status, policy blocks
- [ ] 8.5 Firewall: `BlockedWithReason()` method
- [ ] 8.6 L7: status recording on ResponseWriter
- [ ] 8.7 Startup: conditionally start metrics server
- [ ] 8.8 Tests: metric sanity, server endpoint, `BlockedWithReason`
---
## Current State
Phases 1-6 complete. Per-listener connection limits are implemented and
tested. L7 policies and Prometheus metrics are next.
`go vet` and `go test` pass across all 13 packages.
Reference in New Issue View Git Blame Copy Permalink