### Start gost proxy Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Execute this command to start the gost proxy with the specified configuration file. ```bash gost -C config.yaml ``` -------------------------------- ### Example JSON with Multi-Value Claims Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md This JSON structure demonstrates a multi-value string claim ('perms') which can be matched against. ```json { "iss": "https://sso.example.com", "sub": "", "perms": ["perm1", "perm2"] } ``` -------------------------------- ### View Gatekeeper Help Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use this command to view all available commands and switches for Gatekeeper. Modify the path to match your installation. ```bash $ bin/gatekeeper help ``` -------------------------------- ### Gatekeeper YAML Configuration Example Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md This snippet shows a comprehensive example of Gatekeeper configuration using YAML. It covers settings for OpenID Connect discovery, TLS certificates, client credentials, listening interfaces, token encryption, PKCE, refresh tokens, resource protection rules (URIs, methods, roles), and upstream proxying. Ensure sensitive values like discovery URLs, client IDs/secrets, and encryption keys are replaced with actual credentials. ```yaml # is the URL for retrieve the OpenID configuration discovery-url: # path to your CA certificate/s in PEM format tls-openid-provider-ca-certificate: /etc/ssl/ca.pem # path to the client private key for IDP tls-openid-provider-client-private-key: /etc/ssl/provider-client-private-key.pem # path to the client certificate for IDP tls-openid-provider-client-certificate: /etc/ssl/provider-client-certificate.pem # Indicates we should deny by default all requests and explicitly specify what is permitted, default true # this is equivalent of --resource=/*|methods enable-default-deny: true # useful when you want to change base url e.g. you want to have http://somedomain/some/oauth/callback etc.. # please be aware that this setting also enforces Access/Refresh token cookies Path to this path, # if desired cookie path can be overriden with --cookie-path option # for multitenant deployments forward-auth should be better option see forward-auth section base-uri: /some # encodes header values according RFC 2047, in MIME B format, IMPORTANT: it only encodes values if they contain non-ASCII chars, otherwise not enable-header-encoding: false # the client id for the 'client' application client-id: # the secret associated to the 'client' application client-secret: # the interface definition you wish the proxy to listen, all interfaces is specified as ':', unix sockets as unix://|/ABS PATH> listen: :3000 # port on which metrics and health endpoints will be available, if not specified it will be on above specified port listen-admin: :4000 # this encrypts access token, set by default to true, you need to setup encryption key enable-encrypted-token: true # enables use of PKCE, enabled by default in gatekeeper, you need to enable it in keycloak for client enable-pkce: true # whether to enable refresh tokens enable-refresh-tokens: true # maximum token size in bytes max-token-size: 2000 # maximum body size in bytes max-body-size: 3000 # you can set up custom templates for forbidden/error/sign-in pages, gatekeeper # also provides these already builtin (but they are not set by default) forbidden-page: templates/forbidden.html.tmpl error-page: templates/error.html.tmpl sign-in-page: sign_in.html.tmpl register-page: register.html.tmpl # the location of server side certificate for gatekeeper tls-cert: # the location of a server side private key for gatekeeper tls-private-key: # TLS options related to admin listener tls-admin-cert: tls-admin-private-key: tls-admin-client-certificate: # the redirection URL, essentially the site URL, note: /oauth/callback is added at the end redirection-url: http://127.0.0.1:3000 # the encryption key used to encode the session state encryption-key: # the upstream endpoint which we should proxy request upstream-url: http://127.0.0.1:80 # Returns HTTP 401 when no authentication is present, used with forward proxies or API protection with client credentials grant. no-redirects: false # additional scopes to add to the default (openid+email+profile) scopes: - vpn-user # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin/test # the methods on this URL that should be protected, uri is required when defining resource methods: - GET # a list of roles the user must have in order to access URLs under the above # If all you want is authentication ONLY, simply remove the roles array - the user must be authenticated but # no roles are required roles: - openvpn:vpn-user - openvpn:prod-vpn - test - uri: /admin/* methods: - GET roles: - openvpn:vpn-user - openvpn:commons-prod-vpn ``` -------------------------------- ### Role Matching Configuration Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Example of how to define resource URIs and methods, specifying both realm and client roles for access control. Realm roles are matched directly, while client roles require specifying the client ID. ```yaml resources: - uri: /admin* methods: - GET roles: # this will match realm role from token - examplerealmrole # you can see here, that roles below will match client roles from token # it will look for client1's client role test1 and client2's client role test2 - client1:test1 - client2:test2 ``` -------------------------------- ### Example OPA Policy for Authorization Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md An example OPA policy that allows requests if the request body's 'name' is 'test' and the method is 'POST'. This policy works with the provided Gatekeeper configuration. ```rego package authz default allow := false body := json.unmarshal(input.body) allow { body.name = "test" body.method = "POST" } ``` -------------------------------- ### Allow Query Parameters with Any Value Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Specify query parameters that Gatekeeper should forward to the Identity Provider (IDP). This example allows 'myparam' and 'yourparam' with any value. ```bash --allowed-query-params="myparam" --allowed-query-params="yourparam" ``` ```yaml allowed-query-params: myparam: "" yourparam: "" ``` -------------------------------- ### Build Gatekeeper Docker Image Source: https://github.com/gogatekeeper/gatekeeper/blob/master/README.md Builds a multi-platform Docker image for Gatekeeper. Ensure you have Docker Buildx installed and configured. ```bash docker buildx build --platform linux/amd64,linux/arm64 -t quay.io/gogatekeeper/gatekeeper:4.10.0 . ``` -------------------------------- ### Gatekeeper OPA Configuration Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Example Gatekeeper configuration to enable and set up OPA for external authorization. Includes enabling OPA, default deny, timeout, and the OPA authorization URI. ```yaml enable-opa: true enable-default-deny: true opa-timeout: "60s" opa-authz-uri: "http://127.0.0.1/v1/data/authz/allow" ``` -------------------------------- ### Configure gost proxy for HTTP CONNECT Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md This YAML configuration sets up a gost proxy to forward TCP connections using HTTP CONNECT. Remember to replace the example token with your actual token. ```yaml cat > config.yaml < --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id= --client-secret= --enable-uma=true --enable-uma-method-scope=true --enable-forwarding=true # you can use client credentials grant or direct access grant # see Forward-signing proxy section --forwarding-grant-type=client_credentials --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 ``` -------------------------------- ### Configure OpenID Provider Headers Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Send custom headers to the OpenID provider discovery endpoint, for example, when the endpoint is protected by basic authentication. ```yaml openid-provider-headers: - X-SEND: "MYVALUE" - X-OTHER-SEND: "NEXT VALUE" ``` -------------------------------- ### Gatekeeper Browser Flow with UMA Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configure Gatekeeper for browser-based UMA flows with Keycloak. Ensure Keycloak client has protected resources with UMA enabled. This setup requires `--enable-default-deny=true` and `--enable-uma=true`. ```bash --discovery-url= --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id= --client-secret= --upstream-url= # code flow/browser flow --no-redirects=false # you have to set this or resources=/* to have enable-uma working --enable-default-deny=true # we are enabling UMA --enable-uma=true # we are also enabling using method scope, this is optional, # it will check resource in keycloak not just for accessed URL # but also for method scope e.g. method:GET, it will return # UMA token in cookie only for that URL+method scope, # if you don't turn it on it will check just for URL # and will return UMA token in cookie # with all scopes --enable-uma-method-scope=true # UMA token is stored in cookie, you can setup custom name # by default cookie name is uma_token --cookie-uma-name= --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 ``` -------------------------------- ### Gatekeeper Configuration for Client Credentials Grant Type Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Example YAML configuration for deploying Gatekeeper as a forward-signing proxy using the client credentials grant type. This is an alternative to the password grant type for service-to-service authentication. ```yaml - name: gatekeeper image: quay.io/gogatekeeper/gatekeeper:4.10.0 args: - --enable-forwarding=true - --forwarding-domains=projecta.svc.cluster.local - --forwarding-domains=projectb.svc.cluster.local - --client-id=xxxxxx - --client-secret=xxxx - --discovery-url=http://keycloak:8080/realms/master - --tls-forwarding-ca-certificate=/etc/secrets/ca.pem - --tls-forwarding-ca-private-key=/etc/secrets/ca-key.pem - --forwarding-grant-type=client_credentials # Note: if you don't specify any forwarding domains, all domains will be signed; Also the code checks is the # domain 'contains' the value (it's not a regex) so if you wanted to sign all requests to svc.cluster.local, just use # svc.cluster.local volumeMounts: - name: keycloak-socket mountPoint: /var/run/keycloak - name: projecta image: some_images ``` -------------------------------- ### Add OpenID Provider Headers via Command Line Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Specify headers to be sent to the OpenID provider discovery endpoint using command-line arguments. ```bash --openid-provider-headers="myheader1=value1" \ --openid-provider-headers="myheader2=value2" ``` -------------------------------- ### Configure Let's Encrypt Support Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Set up Gatekeeper for Let's Encrypt integration. Listening on port 443 is mandatory for this configuration. ```yaml listen: 0.0.0.0:443 enable-https-redirection: true enable-security-filter: true use-letsencrypt: true letsencrypt-cache-dir: ./cache/ redirection-url: https://domain.tld:443/ hostnames: - domain.tld ``` -------------------------------- ### Connect with psql client Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use this command to connect to the proxied service using the psql client. Ensure the host and port match your gost proxy configuration. ```bash psql -U postgres -h localhost -p 8000 ``` -------------------------------- ### Configure White-listed URLs via Command Line Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configure resource white-listing and access control directly from the command line using the --resources flag. Supports various formats for URIs, methods, and roles. ```bash --resources "uri=/some_white_listed_url|white-listed=true" --resources "uri=/*" # requires authentication on the rest --resources "uri=/admin*|roles=admin,superuser|methods=POST,DELETE" ``` -------------------------------- ### Import GPG Public Key Source: https://github.com/gogatekeeper/gatekeeper/blob/master/README.md Imports the GPG public key from a file. Ensure the key is correctly formatted. ```bash cat /tmp/gpg | gpg --import ``` -------------------------------- ### Configure gogatekeeper for TCP Proxy Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use these flags to enable HTTP CONNECT for TCP proxying. Ensure custom HTTP methods are allowed and authorization is enabled. ```bash "--discovery-url=http://127.0.0.1:8081/realms/test/.well-known/openid-configuration", "--client-id=test-client", "--client-secret=6447d0c0-d510-42a7-b654-6e3a16b2d7e2", "--upstream-url=http://127.0.0.1:5432", "--listen=0.0.0.0:5000", "--no-redirects=true", "--enable-authorization-header=true", "--custom-http-methods=CONNECT", "--enable-default-deny=true", "--enable-logging=true", "--enable-compression=true", "--enable-json-logging=true", "--verbose=true", "--skip-token-verification=false", "--upstream-keepalive-timeout=30s", "--scopes=openid", "--skip-access-token-clientid-check=true" ``` -------------------------------- ### Generate String to Sign for HMAC Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md This Go code snippet demonstrates how to construct the string that needs to be signed for HMAC verification. It includes method, URL path and query, authorization header, host, and a SHA256 hash of the request body. ```go stringToSign := fmt.Sprintf( "%s\n%s%s\n%s;%s;%s", req.Method, req.URL.Path, req.URL.RawQuery, req.Header.Get(constant.AuthorizationHeader), req.Host, sha256.Sum256(body), ) ``` -------------------------------- ### Enable HTTPS Redirection Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configure the proxy to listen on HTTP and enable HTTPS redirection. The `--enable-security-filter` option is required for this functionality. ```bash --listen-http=127.0.0.1:80 --enable-security-filter=true # is required for the https redirect --enable-https-redirection ``` -------------------------------- ### Run Gatekeeper Docker Container Source: https://github.com/gogatekeeper/gatekeeper/blob/master/README.md Runs an existing Gatekeeper Docker image with specified network and discovery configurations. Replace placeholders like and with your actual values. ```bash docker run -it --rm quay.io/gogatekeeper/gatekeeper:4.10.0 \ --listen 127.0.0.1:8080 \ --upstream-url http://127.0.0.1:80 \ --discovery-url https://keycloak.example.com/realms/ \ --client-id ``` -------------------------------- ### Configure Claim Matching via CLI Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use these command-line arguments to specify claim matching rules. Each match is defined with the claim name and its regex pattern. ```bash --match-claims=auth=openvpn --match-claims=iss=http://keycloak.example.com/realms/commons ``` -------------------------------- ### Allow Query Parameters with Specific Values Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configure specific query parameters and their exact values to be forwarded to the IDP. This ensures only intended parameters with correct values are passed. ```bash --allowed-query-params="myparam=myvalue" --allowed-query-params="yourparam=yourvalue" ``` ```yaml allowed-query-params: myparam: "myvalue" yourparam: "yourvalue" ``` -------------------------------- ### Configure White-listed URLs in YAML Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Define resources to be white-listed or protected with specific roles and methods using YAML configuration. Use 'white-listed: true' for exceptions. ```yaml resources: - uri: /some_white_listed_url white-listed: true - uri: /* methods: - GET roles: - : - : ``` -------------------------------- ### Display GPG Public Key Information Source: https://github.com/gogatekeeper/gatekeeper/blob/master/README.md Displays information about an imported GPG public key, including its fingerprint. Use this to confirm the correct key has been imported. ```bash cat /tmp/gpg|gpg --import-options show-only --import ``` -------------------------------- ### Configure cfssl Signing Profiles Source: https://github.com/gogatekeeper/gatekeeper/blob/master/tests/README.md Define default and custom signing profiles for certificate generation. This includes setting expiry times and specifying usages like 'server auth' and 'client auth'. ```bash cat << EOF > /tmp/config.json { "signing": { "default": { "expiry": "87600h" }, "profiles": { "server": { "usages": ["signing", "key encipherment", "digital signature", "server auth", "client auth"], "expiry": "87600h" }, "client": { "usages": ["signing", "digital signature", "client auth"], "expiry": "87600h" } } } } EOF ``` -------------------------------- ### Enable Anonymous Access to Resources Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use the 'white-listed-anon' option to allow both anonymous and authenticated access to a resource. Authenticated requests will still undergo the full authorization process. ```yaml resources: - uri: /public_or_private_page white-listed-anon: true ``` -------------------------------- ### Configure Gatekeeper with Keycloak (CLI) Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configure Gatekeeper using command-line arguments for Keycloak integration. This method allows for dynamic configuration without modifying YAML files. Note the format for resources and headers. ```bash bin/gatekeeper \ --discovery-url=https://keycloak.example.com/realms/ \ --openid-provider-ca=/etc/ssl/ca.pem \ --client-id= \ --client-secret= \ --listen=127.0.0.1:3000 \ # unix sockets format unix://path --redirection-url=http://127.0.0.1:3000 \ --enable-refresh-tokens=true \ --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \ --upstream-url=http://127.0.0.1:80 \ --enable-default-deny=true \ --resources="uri=/admin*|roles=test1,test2" \ --resources="uri=/backend*|roles=test1" \ --resources="uri=/css/*|white-listed=true" \ --resources="uri=/img/*|white-listed=true" \ --resources="uri=/public/*|white-listed=true" \ --headers="myheader1=value1" \ --headers="myheader2=value2" ``` -------------------------------- ### Configure Claim Matching in YAML Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use this YAML configuration to define claim matching rules for access control. Specify the claim name and the regex pattern it must match. ```yaml match-claims: aud: openvpn iss: https://keycloak.example.com/realms/commons ``` ```yaml match-claims: email: ^.*@example.com$ ``` ```yaml match-claims: perms: perm1 ``` ```yaml match-claims: email: !perm1 ``` -------------------------------- ### Configure Level Of Authentication (LOA) Resources Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configures two URIs with different LOA requirements. The first URI accepts multiple levels, defaulting to 'level1'. The second URI requires 'level2'. ```yaml --resources=uri=/cats|acr=level1,level2 --resources=uri=/pets|acr=level2 ``` -------------------------------- ### Generate CA and Server Certificates with cfssl Source: https://github.com/gogatekeeper/gatekeeper/blob/master/tests/README.md Generate a CA certificate and key, then use them to sign a server certificate. This involves piping output between cfssl and cfssljson for processing. ```bash cfssl genkey -initca /tmp/csr.ca.json | cfssljson -bare ca cfssl gencert -ca ca.pem -ca-key ca-key.pem -config /tmp/config.json -profile server /tmp/csr.json | cfssljson -bare ``` -------------------------------- ### Test Forward Proxy with Curl Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md This command-line snippet shows how to test the Gatekeeper forward proxy by making a request to a service through the proxy. It uses `curl` with specific options for testing over HTTPS. ```bash curl -k --proxy http://127.0.0.1:3000 https://test.projesta.svc.cluster.local ``` -------------------------------- ### Set Default Allowed Query Parameters Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Define default values for allowed query parameters. These defaults are used when no specific parameters are provided in the URL. Ensure default parameters are also listed in 'allowed-query-params'. ```bash --default-allowed-query-params="myparam=myvalue" --default-allowed-query-params="yourparam=yourvalue" ``` ```yaml default-allowed-query-params: myparam: "myvalue" yourparam: "yourvalue" ``` -------------------------------- ### Configure Server Certificate Signing Request (CSR) Source: https://github.com/gogatekeeper/gatekeeper/blob/master/tests/README.md Define the configuration for a server certificate signing request. This specifies the hosts the certificate will be valid for, key details, and subject names. ```bash cat << EOF > /tmp/csr.json { "hosts": [ "localhost", "https://localhost", "https://127.0.0.1", "127.0.0.1" ], "key": { "algo": "ecdsa", "size": 256 }, "names": [ { "C": "US", "L": "Dallas", "O": "My Certificate", "OU": "WWW", "ST": "Texas" } ] } EOF ``` -------------------------------- ### Enforce Authentication for All Requests Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Ensure all incoming requests are authenticated by setting a resource rule that matches all URIs. The default HTTP method is assumed to be 'any'. ```bash --resources=uri=/* ``` -------------------------------- ### Gatekeeper API Flow with UMA (Server Side) Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configure Gatekeeper for server-side API flows using UMA in no-redirects mode. This requires `--no-redirects=true`, `--enable-default-deny=true`, and `--enable-uma=true`. ```bash --discovery-url= --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id= --client-secret= --upstream-url= # api flow --no-redirects=true # you have to set this or resources=/* to have enable-uma working --enable-default-deny=true # we are enabling UMA --enable-uma=true # we are also enabling using method scope, this is optional, # it will check resource in keycloak not just for accessed URL # but also for method scope e.g. method:GET, it will return # UMA token in cookie only for that URL+method scope, # if you don't turn it on it will check just for URL # and will return UMA token in cookie # with all scopes --enable-uma-method-scope=true --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 ``` -------------------------------- ### Configure TLS Forwarding with CA Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use this command to configure Gatekeeper for TLS forwarding. Ensure you generate a CA certificate and key, and provide their paths. ```bash $ openssl req -x509 -nodes -days 365 -newkey ed2551 -keyout ca.key -out ca.pem $ bin/gatekeeper \ --enable-forwarding \ --forwarding-username=USERNAME \ --forwarding-password=PASSWORD \ --client-id=CLIENT_ID \ --client-secret=SECRET \ --discovery-url=https://keycloak.example.com/realms/test \ --tls-forwarding-ca-certificate=/etc/secrets/ca.pem \ --tls-forwarding-ca-private-key=/etc/secrets/ca-key.pem ``` -------------------------------- ### Configure Custom Error Page Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Specify the path to a custom HTML template for error pages, such as the 'bad request' error encountered when a user declines terms and conditions. ```bash --error-page=templates/error.html.tmpl ``` -------------------------------- ### Gatekeeper Configuration (With Redirect) Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Gatekeeper configuration arguments for forward-auth when redirects to an authentication server are desired. Ensures requests are not forwarded upstream. ```bash - args: - --client-id=dashboard - --no-redirects=false # this option will ensure there WILL BE redirects to keycloak server - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue ``` -------------------------------- ### Configure Gatekeeper with Keycloak (YAML) Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Use this YAML configuration for Gatekeeper to integrate with Keycloak. Ensure client ID, secret, realm, and TLS certificates are correctly set. Define resources to protect with specific roles and methods. ```yaml client-id: client-secret: # require for access_type: confidential # Note the redirection-url is optional, it will default to the the URL scheme and host, # only in case of forward auth it will use X-Forwarded-Proto / X-Forwarded-Host, please see forward-auth section discovery-url: https://keycloak.example.com/realms/ # path to your CA certificate/s in PEM format tls-openid-provider-ca-certificate: /etc/ssl/ca.pem # Indicates we should deny by default all requests and explicitly specify what is permitted, default true, # you cannot specify enable-default-deny:true together with defining resource=uri=/* enable-default-deny: true encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j listen: :3000 redirection-url: http://127.0.0.1:3000 upstream-url: http://127.0.0.1:80 # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin* methods: - GET roles: # this will match realm role from token - examplerealmrole # you can see here, that roles below will match client roles from token # it will look for client1's client role test1 and client2's client role test2 - client1:test1 - client2:test2 require-any-role: true groups: - admins - users - uri: /backend* roles: - client:test1 - uri: /public/* # Allow access to the resource above white-listed: true - uri: /favicon # Allow access to the resource above white-listed: true - uri: /css/* # Allow access to the resource above white-listed: true - uri: /img/* # Allow access to the resource above white-listed: true # Adds custom headers headers: myheader1: value_1 myheader2: value_2 ``` -------------------------------- ### Configure CORS Options via Command Line Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md These command-line flags allow you to configure CORS access control headers. Specify origins, methods, headers, and exposed headers. ```bash --cors-origins [--cors-origins option] a set of origins to add to the CORS access control (Access-Control-Allow-Origin) ``` ```bash --cors-methods [--cors-methods option] the method permitted in the access control (Access-Control-Allow-Methods) ``` ```bash --cors-headers [--cors-headers option] a set of headers to add to the CORS access control (Access-Control-Allow-Headers) ``` ```bash --cors-exposes-headers [--cors-exposes-headers option] set the expose cors headers access control (Access-Control-Expose-Headers) ``` -------------------------------- ### Verify Gatekeeper Binary Checksum Source: https://github.com/gogatekeeper/gatekeeper/blob/master/README.md Compares the checksum of a downloaded Gatekeeper archive with the checksum provided in the gatekeeper-checksum.txt file. This ensures the integrity of the downloaded binary. ```bash sha512sum /my/path/gatekeeper_4.10.0_linux_amd64.tar.gz 38759e75a94d130758cd26958bd9a66b261be8d58a6c7a0fc04845157649aaf628d22a115c95285b405f8e4d6afa8bd78ca8677d1304faf06db93a0cbbc831a6 gatekeeper_4.10.0_linux_amd64.tar.gz ``` -------------------------------- ### CORS Configuration Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Configure Cross-origin resource sharing (CORS) headers using command-line options or a configuration file. ```APIDOC ## CORS Configuration You can configure CORS headers using the following command-line options: - `--cors-origins [--cors-origins option]` : A set of origins to add to the CORS access control (Access-Control-Allow-Origin). - `--cors-methods [--cors-methods option]` : The methods permitted in the access control (Access-Control-Allow-Methods). - `--cors-headers [--cors-headers option]` : A set of headers to add to the CORS access control (Access-Control-Allow-Headers). - `--cors-exposes-headers [--cors-exposes-headers option]` : Set the expose CORS headers access control (Access-Control-Expose-Headers). Alternatively, you can configure these in a YAML file: ```yaml cors-origins: - '*' cors-methods: - GET - POST ``` ``` -------------------------------- ### Traefik Forward-Auth Configuration Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md This Traefik configuration sets up routers and middlewares for forward authentication. It defines how incoming requests to 'domain.org' are handled, including applying custom headers and forwarding authentication requests to the Gatekeeper service. ```yaml http: routers: app: entryPoints: - "websecure" rule: "Host(`domain.org`)" middlewares: - "app-middleware" - "app-headers" tls: certResolver: letsencrypt service: app-service app-proxy: entryPoints: - "websecure" rule: "Host(`domain.org`) && PathPrefix(`/oauth`)" # here you see that /oauth prefix is routed directly to gatekeeper tls: certResolver: letsencrypt service: app-proxy ################ middlewares: app-headers: headers: customRequestHeaders: X-Forwarded-Proto: https X-Forwarded-Host: domain.org X-Forwarded-Uri: / app-middleware: forwardAuth: address: "http://192.168.140.93:4180 # gatekeeper container address ##################### services: app-service: loadBalancer: servers: - url: "http://192.168.x.x:80" # App container address passHostHeader: true app-proxy: loadBalancer: servers: - url: "http://192.168.x.x:4180" # Gatekeeper container address passHostHeader: true ``` -------------------------------- ### Overriding No-Redirects in Resources Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Demonstrates overriding the global `no-redirects: true` setting within specific resource configurations. Here, `no-redirect: false` is set for /myfrontend1 and /myfrontend2, enabling redirects for these resources. ```yaml no-redirects: true resources: - uri: /myfrontend1 methods: - GET no-redirect: false - uri: /myfrontend2 methods: - GET no-redirect: false ``` -------------------------------- ### Configure Upstream Proxy Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Specify a proxy server for forwarding traffic to upstream services. This can be set in the configuration file or via environment variables. ```yaml upstream-proxy: http://proxy.example.com:8080 upstream-no-proxy: http://donotproxy.example.com:8080 ``` -------------------------------- ### Add Custom Headers Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Inject custom headers into upstream requests. This can be done via the command line or the configuration file. ```yaml headers: name: value ``` -------------------------------- ### Gatekeeper Configuration (No Redirect) Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Gatekeeper configuration arguments for forward-auth when no redirects to an authentication server are desired. Ensures requests are not forwarded upstream. ```bash - args: - --client-id=dashboard - --no-redirects=true # this option will ensure there will be no redirects - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue ``` -------------------------------- ### Configure OpenID Provider Proxy Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md Specify a forwarding proxy server for communication with the OpenID provider. This can be set in the configuration file or via environment variables. ```yaml openid-provider-proxy: http://proxy.example.com:8080 ``` -------------------------------- ### Nginx Forward-Auth Configuration Snippet Source: https://github.com/gogatekeeper/gatekeeper/blob/master/docs/content/_index.md This Nginx configuration snippet is used within an ingress resource to handle redirects for authorization. It specifies the location for authentication requests and proxies them to the Gatekeeper URL. ```yaml nginx.ingress.kubernetes.io/configuration-snippet: | auth_request /auth; nginx.ingress.kubernetes.io/server-snippet: | location ^~ /auth { internal; proxy_pass /$request_uri; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-URI $request_uri; proxy_busy_buffers_size 64k; proxy_buffers 8 32k; proxy_buffer_size 32k; } ``` -------------------------------- ### Verify GPG Signature Source: https://github.com/gogatekeeper/gatekeeper/blob/master/README.md Verifies the signature of a file using GPG. This command checks the integrity and authenticity of the file. ```bash gpg --verify gatekeeper-checksum.txt.sig ```