docs/vmauth.md: document the case with default url_prefix additionall…

…y to url_map
laconi51 · Jul 20, 2024 · 0a8c9c5 · 0a8c9c5
1 parent 9e0c37b
commit 0a8c9c5
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 51 deletions.
diff --git a/app/vmauth/main_test.go b/app/vmauth/main_test.go
@@ -57,49 +57,43 @@ func TestRequestHandler(t *testing.T) {
 	// regular url_prefix
 	cfgStr := `
 unauthorized_user:
-  url_prefix: {BACKEND}/foo?bar=baz
-`
+  url_prefix: {BACKEND}/foo?bar=baz`
 	requestURL := "http://some-host.com/abc/def?some_arg=some_value"
 	backendHandler := func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected := `
 statusCode=200
-requested_url={BACKEND}/foo/abc/def?bar=baz&some_arg=some_value
-`
+requested_url={BACKEND}/foo/abc/def?bar=baz&some_arg=some_value`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// keep_original_host
 	cfgStr = `
 unauthorized_user:
   url_prefix: "{BACKEND}/foo?bar=baz"
-  keep_original_host: true
-`
+  keep_original_host: true`
 	requestURL = "http://some-host.com/abc/def"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url=http://some-host.com/foo/abc/def?bar=baz
-`
+requested_url=http://some-host.com/foo/abc/def?bar=baz`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// override request host
 	cfgStr = `
 unauthorized_user:
   url_prefix: "{BACKEND}/foo?bar=baz"
   headers:
-  - "Host: other-host:12345"
-`
+  - "Host: other-host:12345"`
 	requestURL = "http://some-host.com/abc/def"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url=http://other-host:12345/foo/abc/def?bar=baz
-`
+requested_url=http://other-host:12345/foo/abc/def?bar=baz`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// /-/reload handler failure
@@ -109,16 +103,14 @@ requested_url=http://other-host:12345/foo/abc/def?bar=baz
 	}
 	cfgStr = `
 unauthorized_user:
-  url_prefix: "{BACKEND}/foo"
-`
+  url_prefix: "{BACKEND}/foo"`
 	requestURL = "http://some-host.com/-/reload"
 	backendHandler = func(_ http.ResponseWriter, _ *http.Request) {
 		panic(fmt.Errorf("backend handler shouldn't be called"))
 	}
 	responseExpected = `
 statusCode=401
-The provided authKey doesn't match -reloadAuthKey
-`
+The provided authKey doesn't match -reloadAuthKey`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 	if err := reloadAuthKey.Set(origAuthKey); err != nil {
 		t.Fatalf("unexpected error: %s", err)
@@ -128,110 +120,97 @@ The provided authKey doesn't match -reloadAuthKey
 	cfgStr = `
 users:
 - username: foo
-  url_prefix: "{BACKEND}/bar"
-`
+  url_prefix: "{BACKEND}/bar"`
 	requestURL = "http://some-host.com/a/b"
 	backendHandler = func(_ http.ResponseWriter, _ *http.Request) {
 		panic(fmt.Errorf("backend handler shouldn't be called"))
 	}
 	responseExpected = `
 statusCode=401
 Www-Authenticate: Basic realm="Restricted"
-missing 'Authorization' request header
-`
+missing 'Authorization' request header`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// incorrect authorization
 	cfgStr = `
 users:
 - username: foo
   password: secret
-  url_prefix: "{BACKEND}/bar"
-`
+  url_prefix: "{BACKEND}/bar"`
 	requestURL = "http://foo:[email protected]/a/b"
 	backendHandler = func(_ http.ResponseWriter, _ *http.Request) {
 		panic(fmt.Errorf("backend handler shouldn't be called"))
 	}
 	responseExpected = `
 statusCode=401
-Unauthorized
-`
+Unauthorized`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// correct authorization
 	cfgStr = `
 users:
 - username: foo
   password: secret
-  url_prefix: "{BACKEND}/bar"
-`
+  url_prefix: "{BACKEND}/bar"`
 	requestURL = "http://foo:[email protected]/a/b"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url={BACKEND}/bar/a/b
-`
+requested_url={BACKEND}/bar/a/b`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// verify how path cleanup works
 	cfgStr = `
 unauthorized_user:
-  url_prefix: {BACKEND}/foo?bar=baz
-`
+  url_prefix: {BACKEND}/foo?bar=baz`
 	requestURL = "http://some-host.com/../../a//.///bar/"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url={BACKEND}/foo/a/bar/?bar=baz
-`
+requested_url={BACKEND}/foo/a/bar/?bar=baz`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// verify how path cleanup works for url without path
 	cfgStr = `
 unauthorized_user:
-  url_prefix: {BACKEND}/foo?bar=baz
-`
+  url_prefix: {BACKEND}/foo?bar=baz`
 	requestURL = "http://some-host.com/"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url={BACKEND}/foo?bar=baz
-`
+requested_url={BACKEND}/foo?bar=baz`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// verify how path cleanup works for url without path if url_prefix path ends with /
 	cfgStr = `
 unauthorized_user:
-  url_prefix: {BACKEND}/foo/?bar=baz
-`
+  url_prefix: {BACKEND}/foo/?bar=baz`
 	requestURL = "http://some-host.com/"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url={BACKEND}/foo/?bar=baz
-`
+requested_url={BACKEND}/foo/?bar=baz`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
+
 	// verify how path cleanup works for url without path and the url_prefix without path prefix
 	cfgStr = `
 unauthorized_user:
-  url_prefix: {BACKEND}/?bar=baz
-`
+  url_prefix: {BACKEND}/?bar=baz`
 	requestURL = "http://some-host.com/"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url={BACKEND}/?bar=baz
-`
+requested_url={BACKEND}/?bar=baz`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 
 	// verify routing to default_url
@@ -240,16 +219,30 @@ unauthorized_user:
   url_map:
   - src_paths: ["/foo/.+"]
     url_prefix: {BACKEND}/x-foo/
-  default_url: {BACKEND}/404.html
-`
+  default_url: {BACKEND}/404.html`
+	requestURL = "http://some-host.com/abc?de=fg"
+	backendHandler = func(w http.ResponseWriter, r *http.Request) {
+		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
+	}
+	responseExpected = `
+statusCode=200
+requested_url={BACKEND}/404.html?request_path=http%3A%2F%2Fsome-host.com%2Fabc%3Fde%3Dfg`
+	f(cfgStr, requestURL, backendHandler, responseExpected)
+
+	// verify routing to default url_prefix
+	cfgStr = `
+unauthorized_user:
+  url_map:
+  - src_paths: ["/foo/.+"]
+    url_prefix: {BACKEND}/x-foo/
+  url_prefix: {BACKEND}/default`
 	requestURL = "http://some-host.com/abc?de=fg"
 	backendHandler = func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintf(w, "requested_url=http://%s%s", r.Host, r.URL)
 	}
 	responseExpected = `
 statusCode=200
-requested_url={BACKEND}/404.html?request_path=http%3A%2F%2Fsome-host.com%2Fabc%3Fde%3Dfg
-`
+requested_url={BACKEND}/default/abc?de=fg`
 	f(cfgStr, requestURL, backendHandler, responseExpected)
 }
 

diff --git a/docs/vmauth.md b/docs/vmauth.md
@@ -78,8 +78,7 @@ For example, the following [`-auth.config`](#auth-config) instructs `vmauth` to
   For example, the request to `http://vmauth:8427/app1/foo/bar?baz=qwe` is proxied to `http://app1-backend/foo/bar?baz=qwe`.
 - Requests starting with `/app2/` are proxied to `http://app2-backend/`, while the `/app2/` path prefix is dropped according to [`drop_src_path_prefix_parts`](#dropping-request-path-prefix).
   For example, the request to `http://vmauth:8427/app2/index.html` is proxied to `http://app2-backend/index.html`.
-- Other requests are proxied to `http://some-backend/404-page.html`, while the requested path is passed via `request_path` query arg.
-  For example, the request to `http://vmauth:8427/foo/bar?baz=qwe` is proxied to `http://some-backend/404-page.html?request_path=%2Ffoo%2Fbar%3Fbaz%3Dqwe`.
+- Other requests are proxied to `http://default-backed/`.
 
 ```yaml
 unauthorized_user:
@@ -92,7 +91,26 @@ unauthorized_user:
     - "/app2/.*"
     drop_src_path_prefix_parts: 1
     url_prefix: "http://app2-backend/"
-  default_url: http://some-backend/404-page.html
+  url_prefix: "http://default-backed/"
+```
+
+Sometimes it is needed to proxy all the requests, which do not match `url_map`, to a special `404` page, which could count invalid requests.
+Use `default_url` for this case. For example, the following [`-auth.config`](#auth-config) instructs `vmauth` sending all the requests,
+which do not match `url_map`, to the `http://some-backend/404-page.html` page. The requested path is passed via `request_path` query arg.
+For example, the request to `http://vmauth:8427/foo/bar?baz=qwe` is proxied to `http://some-backend/404-page.html?request_path=%2Ffoo%2Fbar%3Fbaz%3Dqwe`.
+
+```yaml
+unauthorized_user:
+  url_map:
+  - src_paths:
+    - "/app1/.*"
+    drop_src_path_prefix_parts: 1
+    url_prefix: "http://app1-backend/"
+  - src_paths:
+    - "/app2/.*"
+    drop_src_path_prefix_parts: 1
+    url_prefix: "http://app2-backend/"
+  default_url: "http://some-backend/404-page.html"
 ```
 
 See [routing docs](#routing) for details.