Closed urakozz closed 9 years ago
Can you send me the code you used.
In the meantime, you can use the prior commit (https://github.com/pjebs/restgate/commit/f74619a6f98c2313f588b58c191afcae321d0d3b) and use https://github.com/unrolled/secure
@pjebs
app := negroni.New()
app.Use(negroni.NewRecovery())
app.Use(negroni.NewLogger())
app.Use(restgate.New(
"X-Auth-Key",
"X-Auth-Secret",
restgate.Static,
restgate.Config{
Context: C,
Key: []string{"12345"},
Secret: []string{"secret"},
},
))
app.UseHandler(router)
http.Handle("/", context.ClearHandler(app))
Using https validation in Authenticational Middleware is an archtectural overhead. Protocol verification is responsibility of a Load Balancer (or sepatated package), internal communications happens via TCP or HTTP.
if you want to disable: pass HTTPSProtectionOff=true in Config.
Let me try and reproduce the bug in GAE.
To be honest I have already wrote own implementation with injectable authenticator like that:
middleware.NewAuthMiddleware(
"X-Auth-Key",
"X-Auth-Secret",
middleware.AuthConfig{
Context: func(r *http.Request, authenticatedKey string) {
context.Set(r, 0, authenticatedKey)
},
Authenticator: func(key, secret string) bool {
sec := driver.Client.HGet("keys", key).Val()
return sec == secret
},
},
)
I tested it on GAE. I simply can't reproduce the error. Are you using GAE or a Managed Environment with Google Cloud Platform?
Are you using a load-balancer such as nginx outside of GAE which communicates to its GAE instances in HTTP and changes the Header to X-Forwarded-Proto": "https" to indicate that it was originally HTTPS?
That message you are receiving can only possibly occur if you DON'T set HTTPSProtectionOff (which you aren't). The above reason could explain the issue.
I used Restgate on GAE-Flexible Environment for first time (previously Managed Environment). I can confirm this bug. The bug is not present in the GAE-Standard Environment.
On the Flexible Environment, the only way to detect if the original request is HTTPS is via the custom header: X-AppEngine-Https
set to on
(https://cloud.google.com/appengine/docs/flexible/nodejs/runtime#https_and_forwarding_proxies)
For this reason, I recommend turning off HTTPS Protection on restgate: eg restgate.Config{HTTPSProtectionOff: true...}
and securing the url endpoint via the app.yaml
file (https://cloud.google.com/appengine/docs/flexible/go/configuring-your-app-with-app-yaml#security)
eg.
handlers:
- url: /api
script: _go_app
secure: always
Alternative, test for HTTPS on each and every handler under restgate by testing X-AppEngine-Https
I have updated package to support GAE-Flexible environment.
Just set config like this:
restgate.New("X-Auth-Key", "X-Auth-Secret", restgate.Static, restgate.Config{GAE_FlexibleEnvironment: true,...}
THE ADVICE IN ABOVE POST IS VALID BUT NO LONGER RECOMMENDED
On Google app engine application always returns error
on http and on https