Skip to content
Snippets Groups Projects
Unverified Commit 11d94d72 authored by Rohith Jayawardene's avatar Rohith Jayawardene Committed by GitHub
Browse files

Readme (#323)

- updating the readme and adding a recommendation to default-denials
parent 35e834a0
No related branches found
No related tags found
No related merge requests found
...@@ -139,6 +139,7 @@ spelling: ...@@ -139,6 +139,7 @@ spelling:
go get -u github.com/client9/misspell/cmd/misspell; \ go get -u github.com/client9/misspell/cmd/misspell; \
fi fi
@misspell -error *.go @misspell -error *.go
@misspell -error *.md
test: test:
@echo "--> Running the tests" @echo "--> Running the tests"
......
...@@ -34,7 +34,7 @@ USAGE: ...@@ -34,7 +34,7 @@ USAGE:
keycloak-proxy [options] keycloak-proxy [options]
VERSION: VERSION:
v2.1.1 (git+sha: e92c9b2-dirty, built: 12-02-2018) v2.1.1 (git+sha: 35e834a, built: 02-03-2018)
AUTHOR: AUTHOR:
Rohith <gambol99@gmail.com> Rohith <gambol99@gmail.com>
...@@ -53,11 +53,13 @@ GLOBAL OPTIONS: ...@@ -53,11 +53,13 @@ GLOBAL OPTIONS:
--revocation-url value url for the revocation endpoint to revoke refresh token [$PROXY_REVOCATION_URL] --revocation-url value url for the revocation endpoint to revoke refresh token [$PROXY_REVOCATION_URL]
--skip-openid-provider-tls-verify skip the verification of any TLS communication with the openid provider (default: false) --skip-openid-provider-tls-verify skip the verification of any TLS communication with the openid provider (default: false)
--openid-provider-proxy value proxy for communication with the openid provider --openid-provider-proxy value proxy for communication with the openid provider
--openid-provider-timeout value timeout for openid configuration on .well-known/openid-configuration (default: 30s)
--scopes value list of scopes requested when authenticating the user --scopes value list of scopes requested when authenticating the user
--upstream-url value url for the upstream endpoint you wish to proxy [$PROXY_UPSTREAM_URL] --upstream-url value url for the upstream endpoint you wish to proxy [$PROXY_UPSTREAM_URL]
--upstream-ca value the path to a file container a CA certificate to validate the upstream tls endpoint --upstream-ca value the path to a file container a CA certificate to validate the upstream tls endpoint
--resources value list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2' --resources value list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'
--headers value custom headers to the upstream request, key=value --headers value custom headers to the upstream request, key=value
--enable-default-deny enables a default denial on all requests, you have to explicitly say what is permitted (recommended) (default: false)
--enable-encrypted-token enable encryption for the access tokens (default: false) --enable-encrypted-token enable encryption for the access tokens (default: false)
--enable-logging enable http logging of the requests (default: false) --enable-logging enable http logging of the requests (default: false)
--enable-json-logging switch on json logging rather than text (default: false) --enable-json-logging switch on json logging rather than text (default: false)
...@@ -102,7 +104,7 @@ GLOBAL OPTIONS: ...@@ -102,7 +104,7 @@ GLOBAL OPTIONS:
--encryption-key value encryption key used to encryption the session state [$PROXY_ENCRYPTION_KEY] --encryption-key value encryption key used to encryption the session state [$PROXY_ENCRYPTION_KEY]
--no-redirects do not have back redirects when no authentication is present, 401 them (default: false) --no-redirects do not have back redirects when no authentication is present, 401 them (default: false)
--skip-token-verification TESTING ONLY; bypass token verification, only expiration and roles enforced (default: false) --skip-token-verification TESTING ONLY; bypass token verification, only expiration and roles enforced (default: false)
--upstream-keepalives enables or disables the keepalive connections for upstream endpoint (default: false) --upstream-keepalives enables or disables the keepalive connections for upstream endpoint (default: true)
--upstream-timeout value maximum amount of time a dial will wait for a connect to complete (default: 10s) --upstream-timeout value maximum amount of time a dial will wait for a connect to complete (default: 10s)
--upstream-keepalive-timeout value specifies the keep-alive period for an active network connection (default: 10s) --upstream-keepalive-timeout value specifies the keep-alive period for an active network connection (default: 10s)
--upstream-tls-handshake-timeout value the timeout placed on the tls handshake for upstream (default: 10s) --upstream-tls-handshake-timeout value the timeout placed on the tls handshake for upstream (default: 10s)
...@@ -231,10 +233,16 @@ bin/keycloak-proxy \ ...@@ -231,10 +233,16 @@ bin/keycloak-proxy \
--enable-refresh-tokens=true \ --enable-refresh-tokens=true \
--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \ --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \
--upstream-url=http://127.0.0.1:80 \ --upstream-url=http://127.0.0.1:80 \
--resources="uri=/admin*|methods=GET|roles=test1,test2" \ --enable-default-deny=true \
--resources="uri=/backend*|roles=test1" --resources="uri=/admin*|roles=test1,test2" \
--resources="uri=/backend*|roles=test1" \
--resources="uri=/css/*|white-listed=true" \
--resources="uri=/img/*|white-listed=true" \
--resources="uri=/public/*|white-listed=true"
``` ```
The **recommended** deployment to use a default denial to all requests via `--enable-default-deny=true` or `--resources="uri=/*"` and to then explicityly allow you throw bypassed.
#### **HTTP Routing** #### **HTTP Routing**
By default all requests will be proxyed on to the upstream, if you wish to ensure all requests are authentication you can use By default all requests will be proxyed on to the upstream, if you wish to ensure all requests are authentication you can use
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment