Optionally Disable Reverse Proxy

swipely / iam-docker

Use different IAM roles for each Docker container on an EC2 instance

MIT License

211 stars 22 forks source link

Optionally Disable Reverse Proxy #15

Closed matthewdfuller closed 7 years ago

matthewdfuller commented 7 years ago

Originally, the IAM proxy service acts as a reverse proxy for all requests to the AWS endpoint that are not destined for IAM metadata credentials. (/iam). This allows containers to request instance metadata, IP info, and other potentially sensitive information (especially user-data).

This PR adds a DISABLE_UPSTREAM environment variable which, when set to true, will respond to those requests with a 403 ACCESS DENIED. This should be used in any environments where containers should not have access to the instance's metadata.

nahiluhmot commented 7 years ago

Hey @matthewdfuller, thanks for contributing. The feature makes a lot of sense, but I'd change the implementation a bit. We typically store static configuration in struct app.Config, which is initialized from CLI arguments in main.go. I'll admit that using environment variables to control the configuration is more 12-factory and convenient, but let's keep things the way they are for now. I'd be interested in switching all configuration to environment variables in the future.

For now, could you please:

Change the $DISABLE_UPSTREAM environment variable to a CLI argument
Add a field to reverseProxyAllowed field (or something like that, I'm sure a better name exists) to struct app.Config
Pass reverseProxyAllowed to http.NewIAMHandler

matthewdfuller commented 7 years ago

@nahiluhmot - thanks for the feedback!

The above check failed (expectedly) because I am wondering how to pass the disableUpstream boolean from here into the serveFastHTTP function here.

This is my first attempt at Go, so I apologize for the simple question :)

matthewdfuller commented 7 years ago

Hey @nahiluhmot - just a quick ping on this - what would be the best way to pass that param? Thanks!

nahiluhmot commented 7 years ago

Hey @matthewdfuller, sorry about the delayed response.

httpHandler.serveFastHttp is a method defined on struct httpHandler. To use the disableUpstream boolean in httpHandler.serveFastHttp, I'd add a new field to struct httpHandler and pass the variable into the NewIAMHandler function. Then you can use struct httpHandler's disableUpstream member in ServeFastHTTP.

Hope that helps, let me know if you have any more questions.

matthewdfuller commented 7 years ago

Np, thanks @nahiluhmot - everything should be as described now.

nahiluhmot commented 7 years ago

@matthewdfuller I think this looks good, thanks for updating. Will merge and release tomorrow.

nahiluhmot commented 7 years ago

@matthewdfuller This was just released in v1.2.0. Thanks again!