### Start Gost Proxy Source: https://gogatekeeper.github.io/gatekeeper/index.html Execute this command to start the Gost proxy using the previously defined configuration file. This will make the proxy accessible and ready to forward connections. ```bash gost -C config.yaml ``` -------------------------------- ### Gatekeeper Command Line Options Example Source: https://gogatekeeper.github.io/gatekeeper/index.html Configure Gatekeeper using command-line arguments, providing an alternative to the configuration file. This example demonstrates setting discovery URL, client credentials, listen address, redirection URL, refresh tokens, encryption key, upstream URL, default deny behavior, resource rules, and custom headers. ```bash bin/gatekeeper \ --discovery-url=https://keycloak.example.com/realms/ \ --openid-provider-ca=/etc/ssl/ca.pem \ --client-id= \ --client-secret= \ --listen=127.0.0.1:3000 \ # unix sockets format unix://path --redirection-url=http://127.0.0.1:3000 \ --enable-refresh-tokens=true \ --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \ --upstream-url=http://127.0.0.1:80 \ --enable-default-deny=true \ --resources="uri=/admin*|roles=test1,test2" \ --resources="uri=/backend*|roles=test1" \ --resources="uri=/css/*|white-listed=true" \ --resources="uri=/img/*|white-listed=true" \ --resources="uri=/public/*|white-listed=true" \ --headers="myheader1=value1" \ --headers="myheader2=value2" ``` -------------------------------- ### Global No Redirect Override Example Source: https://gogatekeeper.github.io/gatekeeper/index.html Demonstrates how to globally enable no-redirects and then selectively disable it for specific resources. Note that 'no-redirect=true' can only be overridden to 'false' within resources. ```yaml no-redirects: true resources: - uri: /myfrontend1 methods: - GET no-redirect: false - uri: /myfrontend2 methods: - GET no-redirect: false ``` -------------------------------- ### Configure Gatekeeper for Forwarding Signed HTTPS Source: https://gogatekeeper.github.io/gatekeeper/index.html Example command-line arguments for starting Gatekeeper in forwarding mode with custom CA certificates for TLS. This is used when you need to verify the trust for HTTPS connections. ```bash $ bin/gatekeeper \ --enable-forwarding \ --forwarding-username=USERNAME \ --forwarding-password=PASSWORD \ --client-id=CLIENT_ID \ --client-secret=SECRET \ --discovery-url=https://keycloak.example.com/realms/test \ --tls-forwarding-ca-certificate=/etc/secrets/ca.pem \ --tls-forwarding-ca-private-key=/etc/secrets/ca-key.pem ``` -------------------------------- ### Allow Specific Query Parameters for Authentication (YAML) Source: https://gogatekeeper.github.io/gatekeeper/index.html YAML configuration for allowing specific query parameters to be forwarded to the IDP. This example permits 'myparam' and 'yourparam' with any value. ```yaml allowed-query-params: myparam: "" yourparam: "" ``` -------------------------------- ### Traefik Configuration (No K8s) Source: https://gogatekeeper.github.io/gatekeeper/index.html Example Traefik configuration for forward-auth without Kubernetes resources. Demonstrates router, middleware, and service definitions for integrating Gatekeeper. ```yaml http: routers: app: entryPoints: - "websecure" rule: "Host(`domain.org`)" middlewares: - "app-middleware" - "app-headers" tls: certResolver: letsencrypt service: app-service app-proxy: entryPoints: - "websecure" rule: "Host(`domain.org`) && PathPrefix(`/oauth`)" # here you see that /oauth prefix is routed directly to gatekeeper tls: certResolver: letsencrypt service: app-proxy ################ middlewares: app-headers: headers: customRequestHeaders: X-Forwarded-Proto: https X-Forwarded-Host: domain.org X-Forwarded-Uri: "/" app-middleware: forwardAuth: address: "http://192.168.140.93:4180 # gatekeeper container address ##################### services: app-service: loadBalancer: servers: - url: "http://192.168.x.x:80" # App container address passHostHeader: true app-proxy: loadBalancer: servers: - url: "http://192.168.x.x:4180" # Gatekeeper container address passHostHeader: true ``` -------------------------------- ### Configure GoGatekeeper for TCP Proxy with HTTP CONNECT Source: https://gogatekeeper.github.io/gatekeeper/index.html Use these command-line arguments to configure GoGatekeeper as a TCP proxy that accepts HTTP CONNECT requests. This setup requires a discovery URL, client credentials, and specifies the upstream service and listen address. Ensure custom HTTP methods include CONNECT and enable authorization headers. ```bash "--discovery-url=http://127.0.0.1:8081/realms/test/.well-known/openid-configuration", "--client-id=test-client", "--client-secret=6447d0c0-d510-42a7-b654-6e3a16b2d7e2", "--upstream-url=http://127.0.0.1:5432", "--listen=0.0.0.0:5000", "--no-redirects=true", "--enable-authorization-header=true", "--custom-http-methods=CONNECT", "--enable-default-deny=true", "--enable-logging=true", "--enable-compression=true", "--enable-json-logging=true", "--verbose=true", "--skip-token-verification=false", "--upstream-keepalive-timeout=30s", "--scopes=openid", "--skip-access-token-clientid-check=true" ``` -------------------------------- ### Allow Specific Query Parameters with Values (YAML) Source: https://gogatekeeper.github.io/gatekeeper/index.html YAML configuration for allowing specific query parameters with defined values to be forwarded to the IDP. This example permits 'myparam' with 'myvalue' and 'yourparam' with 'yourvalue'. ```yaml allowed-query-params: myparam: "myvalue" yourparam: "yourvalue" ``` -------------------------------- ### Gatekeeper Configuration File Example Source: https://gogatekeeper.github.io/gatekeeper/index.html Use this configuration file to define Gatekeeper's integration with Keycloak, including client details, discovery URL, TLS settings, resource protection rules, and custom headers. Ensure client-secret is provided for confidential access types. ```yaml client-id: client-secret: # require for access_type: confidential # Note the redirection-url is optional, it will default to the the URL scheme and host, # only in case of forward auth it will use X-Forwarded-Proto / X-Forwarded-Host, please see forward-auth section discovery-url: https://keycloak.example.com/realms/ # path to your CA certificate/s in PEM format tls-openid-provider-ca-certificate: /etc/ssl/ca.pem # Indicates we should deny by default all requests and explicitly specify what is permitted, default true, # you cannot specify enable-default-deny:true together with defining resource=uri=/* enable-default-deny: true encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j listen: :3000 redirection-url: http://127.0.0.1:3000 upstream-url: http://127.0.0.1:80 # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin* methods: - GET roles: # this will match realm role from token - examplerealmrole # you can see here, that roles below will match client roles from token # it will look for client1's client role test1 and client2's client role test2 - client1:test1 - client2:test2 require-any-role: true groups: - admins - users - uri: /backend* roles: - client:test1 - uri: /public/* # Allow access to the resource above white-listed: true - uri: /favicon # Allow access to the resource above white-listed: true - uri: /css/* # Allow access to the resource above white-listed: true - uri: /img/* # Allow access to the resource above white-listed: true # Adds custom headers headers: myheader1: value_1 myheader2: value_2 ``` -------------------------------- ### Example Gatekeeper Configuration for OPA Source: https://gogatekeeper.github.io/gatekeeper/index.html Enable OPA external authorization and configure its endpoint and timeout. Setting `enable-default-deny` to true ensures that requests are denied unless explicitly allowed by the OPA policy. ```yaml enable-opa: true enable-default-deny: true opa-timeout: "60s" opa-authz-uri: "http://127.0.0.1/v1/data/authz/allow" ``` -------------------------------- ### Example JWT Token with Groups Source: https://gogatekeeper.github.io/gatekeeper/index.html Illustrates the structure of a JWT token containing a 'groups' claim, which is used for group-based access control. ```json { "iss": "https://sso.example.com", "sub": "", "aud": "test", "exp": 1515269245, "iat": 1515182845, "email": "beloved@example.com", "groups": [ "group_one", "group_two" ], "name": "Beloved" } ``` -------------------------------- ### Gatekeeper Configuration Options (YAML/JSON) Source: https://gogatekeeper.github.io/gatekeeper/index.html Example configuration settings for Gatekeeper, including discovery URL, TLS paths, client credentials, listen addresses, encryption, PKCE, refresh tokens, custom pages, redirection URL, upstream URL, and resource protection rules. ```yaml # is the URL for retrieve the OpenID configuration discovery-url: # path to your CA certificate/s in PEM format tls-openid-provider-ca-certificate: /etc/ssl/ca.pem # path to the client private key for IDP tls-openid-provider-client-private-key: /etc/ssl/provider-client-private-key.pem # path to the client certificate for IDP tls-openid-provider-client-certificate: /etc/ssl/provider-client-certificate.pem # Indicates we should deny by default all requests and explicitly specify what is permitted, default true # this is equivalent of --resource=/*|methods enable-default-deny: true # useful when you want to change base url e.g. you want to have http://somedomain/some/oauth/callback etc.. paths # please be aware that this setting also enforces Access/Refresh token cookies Path to this path, # if desired cookie path can be overriden with --cookie-path option # for multitenant deployments forward-auth should be better option see forward-auth section base-uri: /some # encodes header values according RFC 2047, in MIME B format, IMPORTANT: it only encodes values if they contain non-ASCII chars, otherwise not enable-header-encoding: false # the client id for the 'client' application client-id: # the secret associated to the 'client' application client-secret: # the interface definition you wish the proxy to listen, all interfaces is specified as ':', unix sockets as unix://| listen: :3000 # port on which metrics and health endpoints will be available, if not specified it will be on above specified port listen-admin: :4000 # this encrypts access token, set by default to true, you need to setup encryption key enable-encrypted-token: true # enables use of PKCE, enabled by default in gatekeeper, you need to enable it in keycloak for client enable-pkce: true # whether to enable refresh tokens enable-refresh-tokens: true # you can set up custom templates for forbidden/error/sign-in pages, gatekeeper # also provides these already builtin (but they are not set by default) forbidden-page: templates/forbidden.html.tmpl error-page: templates/error.html.tmpl sign-in-page: sign_in.html.tmpl register-page: register.html.tmpl # the location of server side certificate for gatekeeper tls-cert: # the location of a server side private key for gatekeeper tls-private-key: # TLS options related to admin listener tls-admin-cert: tls-admin-private-key: tls-admin-client-certificate: # the redirection URL, essentially the site URL, note: /oauth/callback is added at the end redirection-url: http://127.0.0.1:3000 # the encryption key used to encode the session state encryption-key: # the upstream endpoint which we should proxy request upstream-url: http://127.0.0.1:80 # Returns HTTP 401 when no authentication is present, used with forward proxies or API protection with client credentials grant. no-redirects: false # additional scopes to add to the default (openid+email+profile) scopes: - vpn-user # a collection of resource i.e. URLs that you wish to protect, this are simple gatekeeper authorization rules, # to get more complex authorization you can look at external authorization section in our documentation resources: - uri: /admin/test # the methods on this URL that should be protected, uri is required when defining resource methods: - GET # a list of roles the user must have in order to access URLs under the above # If all you want is authentication ONLY, simply remove the roles array - the user must be authenticated but # no roles are required roles: - openvpn:vpn-user - openvpn:prod-vpn - test - uri: /admin/* methods: - GET roles: - openvpn:vpn-user - openvpn:commons-prod-vpn ``` -------------------------------- ### Configure Redis Cluster HA Store Source: https://gogatekeeper.github.io/gatekeeper/index.html Enable High Availability for the Redis store by configuring a Redis Cluster. Example URI includes multiple addresses. ```bash --enable-store-ha=true --store-url=redis://user:password@localhost:6789?dial_timeout=3&read_timeout=6s&addr=localhost:6790&addr=localhost:6791 ``` -------------------------------- ### Allow Specific Query Parameters with Values (CLI) Source: https://gogatekeeper.github.io/gatekeeper/index.html Configures Gatekeeper to forward specified query parameters with specific values to the IDP. This example allows 'myparam' with 'myvalue' and 'yourparam' with 'yourvalue'. ```shell --allowed-query-params="myparam=myvalue" --allowed-query-params="yourparam=yourvalue" ``` -------------------------------- ### Gatekeeper Configuration (With Redirect) Source: https://gogatekeeper.github.io/gatekeeper/index.html Gatekeeper arguments for a forward-auth setup that enables redirection to an authentication server. Ensures requests are not forwarded to upstream services. ```bash - args: - --client-id=dashboard - --no-redirects=false # this option will ensure there WILL BE redirects to keycloak server - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue ``` -------------------------------- ### /oauth/login Source: https://gogatekeeper.github.io/gatekeeper/index.html Provides a relay endpoint to log in via `grant_type=password`. For example, `POST /oauth/login` with form values `username=USERNAME&password=PASSWORD` (must be enabled). ```APIDOC ## /oauth/login ### Description Relay endpoint for login using `grant_type=password`. Requires the endpoint to be enabled. ### Method POST ### Endpoint /oauth/login ### Parameters #### Request Body - **username** (string) - Required - The username for authentication. - **password** (string) - Required - The password for authentication. - **grant_type** (string) - Required - Must be set to `password`. ``` -------------------------------- ### Allow Specific Query Parameters for Authentication (CLI) Source: https://gogatekeeper.github.io/gatekeeper/index.html Configures Gatekeeper to forward specified query parameters to the Identity Provider (IDP) during authentication. This example allows 'myparam' and 'yourparam' with any value. ```shell --allowed-query-params="myparam" --allowed-query-params="yourparam" ``` -------------------------------- ### Example OPA Policy for Authorization Source: https://gogatekeeper.github.io/gatekeeper/index.html A sample OPA policy that allows requests if the unmarshalled JSON body contains a 'name' field equal to 'test' and the method is 'POST'. This policy works in conjunction with the provided Gatekeeper configuration. ```rego package authz default allow := false body := json.unmarshal(input.body) allow { body.name = "test" body.method = "POST" } ``` -------------------------------- ### Gatekeeper Configuration (No Redirect) Source: https://gogatekeeper.github.io/gatekeeper/index.html Gatekeeper arguments for a forward-auth setup where no redirects to an authentication server are desired. Ensures requests are not forwarded to upstream services. ```bash - args: - --client-id=dashboard - --no-redirects=true # this option will ensure there will be no redirects - --no-proxy=true # this option will ensure that request will be not forwarded to upstream - --listen=0.0.0.0:4180 - --discovery-url=https://keycloak-dns-name/realms/censored - --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to / - --resources=headers=x-some-header:somevalue,x-other-header:othervalue ``` -------------------------------- ### Configure Gost Proxy for TCP Forwarding with HTTP CONNECT Source: https://gogatekeeper.github.io/gatekeeper/index.html This configuration file sets up the Gost proxy to forward TCP connections using HTTP CONNECT. It defines a service that listens on port 8000 and uses a chain to connect to the GoGatekeeper instance on port 5000. Remember to replace the example token with your actual Bearer token. ```yaml cat > config.yaml < --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id= --client-secret= --enable-uma=true --enable-uma-method-scope=true --enable-forwarding=true # you can use client credentials grant or direct access grant # see Forward-signing proxy section --forwarding-grant-type=client_credentials --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 ``` -------------------------------- ### Configure Resources via Command Line Source: https://gogatekeeper.github.io/gatekeeper/index.html Set resource configurations, including whitelisting and role-based access, using command-line arguments. ```bash --resources "uri=/some_white_listed_url|white-listed=true" ``` ```bash --resources "uri=/*" # requires authentication on the rest ``` ```bash --resources "uri=/admin*|roles=admin,superuser|methods=POST,DELETE" ``` -------------------------------- ### Run Gatekeeper Help Command Source: https://gogatekeeper.github.io/gatekeeper/index.html View the full list of Gatekeeper commands and switches by running the help command. ```bash $ bin/gatekeeper help ``` -------------------------------- ### Configure Resources with Whitelisting Source: https://gogatekeeper.github.io/gatekeeper/index.html Define resources with specific URIs and access controls. Set `white-listed: true` to allow access without authentication. ```yaml resources: - uri: /some_white_listed_url white-listed: true - uri: /* methods: - GET roles: - : - : ``` -------------------------------- ### Configure Redis Store for Refresh Tokens Source: https://gogatekeeper.github.io/gatekeeper/index.html Set up a local Redis instance to store encrypted refresh tokens. Supports standard URIs and connection options. ```bash --store-url=redis://user:secret@localhost:6379/0?protocol=3 ``` ```bash --store-url=redis://user:password@localhost:6789/3?dial_timeout=3&db=1&read_timeout=6s&max_retries=2 ``` -------------------------------- ### Add Custom Claim Headers with Custom Names Source: https://gogatekeeper.github.io/gatekeeper/index.html Configure custom names for claim headers to be injected into upstream requests. This example renames 'given_name' to 'MY-CUSTOM-GIVEN-NAME'. ```yaml add-claims: - given_name|MY-CUSTOM-GIVEN-NAME ``` -------------------------------- ### Generate HMAC String to Sign Source: https://gogatekeeper.github.io/gatekeeper/index.html This Go code snippet demonstrates how to construct the string that needs to be signed for HMAC verification. It includes method, path, query, authorization header, host, and a SHA256 hash of the body. ```go stringToSign := fmt.Sprintf( "%s\n%s%s\n%s;%s;%s", req.Method, req.URL.Path, req.URL.RawQuery, req.Header.Get(constant.AuthorizationHeader), req.Host, sha256.Sum256(body), ) ``` -------------------------------- ### Add Custom Claims to Upstream Headers Source: https://gogatekeeper.github.io/gatekeeper/index.html Inject additional claims from access or ID tokens into upstream headers. This example shows how to add 'given_name', 'family_name', and 'name' claims. ```yaml add-claims: - given_name - family_name - name ``` -------------------------------- ### Configure Gatekeeper for Client Credentials Grant Type Source: https://gogatekeeper.github.io/gatekeeper/index.html Example Kubernetes deployment configuration for Gatekeeper using the client credentials grant type for forward-signing. This is an alternative to the password grant type. ```yaml - name: gatekeeper image: quay.io/gogatekeeper/gatekeeper:4.8.0 args: - --enable-forwarding=true - --forwarding-domains=projecta.svc.cluster.local - --forwarding-domains=projectb.svc.cluster.local - --client-id=xxxxxx - --client-secret=xxxx - --discovery-url=http://keycloak:8080/realms/master - --tls-forwarding-ca-certificate=/etc/secrets/ca.pem - --tls-forwarding-ca-private-key=/etc/secrets/ca-key.pem - --forwarding-grant-type=client_credentials # Note: if you don't specify any forwarding domains, all domains will be signed; Also the code checks is the # domain 'contains' the value (it's not a regex) so if you wanted to sign all requests to svc.cluster.local, just use # svc.cluster.local volumeMounts: - name: keycloak-socket mountPoint: /var/run/keycloak - name: projecta image: some_images ``` -------------------------------- ### Configure Header Matching Source: https://gogatekeeper.github.io/gatekeeper/index.html Match requests based on specific header values. Multiple headers are ANDed together, requiring all specified headers and values to be present. ```string headers=x-some-header:somevalue,x-other-header:othervalue ``` -------------------------------- ### Configure Gatekeeper for Password Grant Type Source: https://gogatekeeper.github.io/gatekeeper/index.html Example Kubernetes deployment configuration for Gatekeeper using the password grant type for forward-signing. Ensure Keycloak credentials and domains are correctly set. ```yaml - name: gatekeeper image: quay.io/gogatekeeper/gatekeeper:4.8.0 args: - --enable-forwarding=true - --forwarding-username=projecta - --forwarding-password=some_password - --forwarding-domains=projecta.svc.cluster.local - --forwarding-domains=projectb.svc.cluster.local - --client-id=xxxxxx - --client-secret=xxxx - --discovery-url=http://keycloak:8080/realms/master - --tls-forwarding-ca-certificate=/etc/secrets/ca.pem - --tls-forwarding-ca-private-key=/etc/secrets/ca-key.pem # Note: if you don't specify any forwarding domains, all domains will be signed; Also the code checks is the # domain 'contains' the value (it's not a regex) so if you wanted to sign all requests to svc.cluster.local, just use # svc.cluster.local volumeMounts: - name: keycloak-socket mountPoint: /var/run/keycloak - name: projecta image: some_images ``` -------------------------------- ### Gatekeeper Content Compression Configuration Source: https://gogatekeeper.github.io/gatekeeper/index.html Configure content compression for responses returned by Gatekeeper. '--enable-compression' enables Gatekeeper to compress content. '--enable-request-upstream-compression' (default true) sends 'Accept-Encoding: gzip' to the upstream. '--enable-accept-encoding-header' passes the client's 'Accept-Encoding' header to the upstream. ```bash --enable-compression --enable-request-upstream-compression --enable-accept-encoding-header ``` -------------------------------- ### Let's Encrypt Configuration Source: https://gogatekeeper.github.io/gatekeeper/index.html Configure Gatekeeper for Let's Encrypt support, including listening on port 443, enabling HTTPS redirection and security filter, and specifying hostnames. ```yaml listen: 0.0.0.0:443 enable-https-redirection: true enable-security-filter: true use-letsencrypt: true letsencrypt-cache-dir: ./cache/ redirection-url: https://domain.tld:443/ hostnames: - domain.tld ``` -------------------------------- ### Configure Upstream URL with Keep-Alives Source: https://gogatekeeper.github.io/gatekeeper/index.html Enable keep-alive connections to the upstream service by specifying the upstream URL and enabling keep-alives. ```bash --upstream-url --upstream-keepalives ``` -------------------------------- ### Enable HTTPS Redirect Source: https://gogatekeeper.github.io/gatekeeper/index.html Enable HTTP to HTTPS redirection by specifying the HTTP listener and enabling security filter and HTTPS redirection options. ```bash --listen-http=127.0.0.1:80 --enable-security-filter=true # is required for the https redirect --enable-https-redirection ``` -------------------------------- ### Nginx Forward-Auth Configuration Source: https://gogatekeeper.github.io/gatekeeper/index.html This configuration is used within an Nginx server block to set up forward authentication. It ensures that necessary headers are passed to the authentication service and configures buffer sizes for efficient request handling. This setup is suitable for multi-tenant applications. ```nginx proxy_set_header Content-Length ""; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Method $request_method; proxy_set_header X-Forwarded-URI $request_uri; proxy_busy_buffers_size 64k; proxy_buffers 8 32k; proxy_buffer_size 32k; ``` -------------------------------- ### Configure TLS for Redis Store Source: https://gogatekeeper.github.io/gatekeeper/index.html Enable TLS connections for the Redis store by using `rediss://` in the store URL and providing CA certificate. ```bash --store-url=rediss://... --tls-store-ca-certificate=xxxx ``` -------------------------------- ### Configure OpenID Provider Headers Source: https://gogatekeeper.github.io/gatekeeper/index.html Send custom headers to your OpenID provider discovery endpoint when it requires authentication, such as basic auth. Use the `--openid-provider-headers` option or configuration file. ```yaml openid-provider-headers: - X-SEND: "MYVALUE" - X-OTHER-SEND: "NEXT VALUE" ``` ```bash --openid-provider-headers="myheader1=value1" \ --openid-provider-headers="myheader2=value2" ``` -------------------------------- ### Configure Redis Sentinel Store Source: https://gogatekeeper.github.io/gatekeeper/index.html Enable High Availability for the Redis store using Redis Sentinel. Specify master name and connection options. ```bash --enable-store-ha=true --store-url=redis://user:password@localhost:6789?master_name=mymaster&dial_timeout=3&read_timeout=6s&addr=localhost:6790&addr=localhost:6791&username=user&password=password ``` -------------------------------- ### Connect to TCP Service via Gost Proxy Source: https://gogatekeeper.github.io/gatekeeper/index.html Use this command to connect to your backend TCP service (e.g., PostgreSQL) through the Gost proxy. The connection is established to localhost on port 8000, which is handled by the Gost proxy. ```bash psql -U postgres -h localhost -p 8000 ``` -------------------------------- ### Configure Upstream URL with TLS Verification Source: https://gogatekeeper.github.io/gatekeeper/index.html Set the upstream service URL, supporting HTTP/HTTPS with TLS verification. Configure CA certificates for verification. ```bash --upstream-url --upstream-ca ``` -------------------------------- ### Default Allowed Query Parameters (CLI) Source: https://gogatekeeper.github.io/gatekeeper/index.html Sets default values for query parameters that will be used if no parameters are specified in the URL. These parameters must also be allowed by the 'allowed-query-params' option. ```shell --default-allowed-query-params="myparam=myvalue" --default-allowed-query-params="yourparam=yourvalue" ``` -------------------------------- ### Configure Upstream URL with Client TLS Certificate Source: https://gogatekeeper.github.io/gatekeeper/index.html Specify the upstream service URL and provide client TLS certificate and private key for mTLS authentication. ```bash --upstream-url --tls-client-certificate --tls-client-private-key ``` -------------------------------- ### Enable Anonymous Access to Resources Source: https://gogatekeeper.github.io/gatekeeper/index.html Use `white-listed-anon` to allow both anonymous and authenticated access to a resource. This is useful for public pages that also have authenticated views. ```yaml resources: - uri: /public_api white-listed-anon: true ``` -------------------------------- ### Configure Refresh Token Encryption Source: https://gogatekeeper.github.io/gatekeeper/index.html Enable automatic refresh token handling and specify an encryption key for storing tokens in cookies. ```bash --enable-refresh-tokens=true --encryption-key=KEY ``` -------------------------------- ### Configure Upstream Proxy Source: https://gogatekeeper.github.io/gatekeeper/index.html Sets up a proxy server for forwarding traffic to upstream services. Also specifies hosts that should bypass the proxy. ```yaml upstream-proxy: http://proxy.example.com:8080 upstream-no-proxy: http://donotproxy.example.com:8080 ``` -------------------------------- ### Specify Custom Error Page Source: https://gogatekeeper.github.io/gatekeeper/index.html Configure a custom HTML template for error pages, such as when a user declines terms and conditions. ```bash --error-page=templates/error.html.tmpl ``` -------------------------------- ### Default Allowed Query Parameters (YAML) Source: https://gogatekeeper.github.io/gatekeeper/index.html YAML configuration for default query parameters. These values are applied when no URL parameters are provided and must be permitted by 'allowed-query-params'. ```yaml default-allowed-query-params: myparam: "myvalue" yourparam: "yourvalue" ``` -------------------------------- ### Configure Exposed CORS Headers via Command Line Source: https://gogatekeeper.github.io/gatekeeper/index.html Set headers that clients are allowed to access via command-line options. This configures the Access-Control-Expose-Headers header. ```bash --cors-exposes-headers [--cors-exposes-headers option] set the expose cors headers access control (Access-Control-Expose-Headers) ``` -------------------------------- ### /oauth/callback Source: https://gogatekeeper.github.io/gatekeeper/index.html The provider OpenID callback endpoint. ```APIDOC ## /oauth/callback ### Description Handles the callback from the OpenID provider. ### Method GET ### Endpoint /oauth/callback ``` -------------------------------- ### Configure Upstream URL with Skipped TLS Verification Source: https://gogatekeeper.github.io/gatekeeper/index.html Set the upstream service URL and disable TLS verification. Use with caution in non-production environments. ```bash --upstream-url --skip-upstream-tls-verify ``` -------------------------------- ### Configure Level of Authentication (LOA) Resources Source: https://gogatekeeper.github.io/gatekeeper/index.html Configure specific URIs to accept different levels of authentication. If a token lacks the required level, Gatekeeper redirects to authentication, using the first specified level as default. ```bash --resources=uri=/cats|acr=level1,level2 --resources=uri=/pets|acr=level2 ``` -------------------------------- ### Configure Claim Matching Source: https://gogatekeeper.github.io/gatekeeper/index.html Enforce access control by matching claims in tokens against regular expressions. Supports matching 'iss', 'aud', and custom attributes. Use the `--match-claims` option or configuration file. ```yaml match-claims: aud: openvpn iss: https://keycloak.example.com/realms/commons ``` ```bash --match-claims=auth=openvpn --match-claims=iss=http://keycloak.example.com/realms/commons ``` ```yaml match-claims: email: ^.*@example.com$ ``` ```yaml match-claims: perms: perm1 ``` ```json { "iss": "https://sso.example.com", "sub": "", "perms": ["perm1", "perm2"] } ``` ```yaml match-claims: email: !perm1 ``` -------------------------------- ### Test Forward Proxy with Curl Source: https://gogatekeeper.github.io/gatekeeper/index.html Command to test the forward proxy functionality by making a request through the Gatekeeper proxy to a target service. ```bash curl -k --proxy http://127.0.0.1:3000 https://test.projesta.svc.cluster.local ``` -------------------------------- ### Configure Custom Headers Source: https://gogatekeeper.github.io/gatekeeper/index.html Inject custom headers using the `--headers` option or the configuration file. This is useful for adding standard headers to requests. ```yaml headers: name: value ``` -------------------------------- ### Configure CORS Methods via Command Line Source: https://gogatekeeper.github.io/gatekeeper/index.html Specify permitted HTTP methods for CORS requests using command-line options. This configures the Access-Control-Allow-Methods header. ```bash --cors-methods [--cors-methods option] the method permitted in the access control (Access-Control-Allow-Methods) ``` -------------------------------- ### /oauth/token Source: https://gogatekeeper.github.io/gatekeeper/index.html A helper endpoint which will display the current access token. ```APIDOC ## /oauth/token ### Description Retrieves the current access token. ### Method GET ### Endpoint /oauth/token ``` -------------------------------- ### Gatekeeper API Flow Configuration (Server Side) Source: https://gogatekeeper.github.io/gatekeeper/index.html Configure Gatekeeper for API access in a no-redirects mode with UMA enabled on the server side. This is used in conjunction with client-side forward signing. Ensure '--enable-default-deny' and '--enable-uma' are set for UMA to function correctly. ```bash --discovery-url= --openid-provider-timeout=120s --listen=0.0.0.0:3000 --client-id= --client-secret= --upstream-url= # api flow --no-redirects=true # you have to set this or resources=/* to have enable-uma working --enable-default-deny=true # we are enabling UMA --enable-uma=true # we are also enabling using method scope, this is optional, # it will check resource in keycloak not just for accessed URL # but also for method scope e.g. method:GET, it will return # UMA token in cookie only for that URL+method scope, # if you don't turn it on it will check just for URL # and will return UMA token in cookie # with all scopes --enable-uma-method-scope=true --skip-access-token-clientid-check=true --skip-access-token-issuer-check=true --openid-provider-retry-count=30 ```