Closed matthewdfuller closed 7 years ago
Hey @matthewdfuller, thanks for contributing. The feature makes a lot of sense, but I'd change the implementation a bit. We typically store static configuration in struct app.Config
, which is initialized from CLI arguments in main.go
. I'll admit that using environment variables to control the configuration is more 12-factory and convenient, but let's keep things the way they are for now. I'd be interested in switching all configuration to environment variables in the future.
For now, could you please:
$DISABLE_UPSTREAM
environment variable to a CLI argumentreverseProxyAllowed
field (or something like that, I'm sure a better name exists) to struct app.Config
reverseProxyAllowed
to http.NewIAMHandler
Hey @nahiluhmot - just a quick ping on this - what would be the best way to pass that param? Thanks!
Hey @matthewdfuller, sorry about the delayed response.
httpHandler.serveFastHttp
is a method defined on struct httpHandler
. To use the disableUpstream
boolean in httpHandler.serveFastHttp
, I'd add a new field to struct httpHandler
and pass the variable into the NewIAMHandler
function. Then you can use struct httpHandler
's disableUpstream
member in ServeFastHTTP
.
Hope that helps, let me know if you have any more questions.
Np, thanks @nahiluhmot - everything should be as described now.
@matthewdfuller I think this looks good, thanks for updating. Will merge and release tomorrow.
@matthewdfuller This was just released in v1.2.0
. Thanks again!
Originally, the IAM proxy service acts as a reverse proxy for all requests to the AWS endpoint that are not destined for IAM metadata credentials. (/iam). This allows containers to request instance metadata, IP info, and other potentially sensitive information (especially user-data).
This PR adds a
DISABLE_UPSTREAM
environment variable which, when set totrue
, will respond to those requests with a 403 ACCESS DENIED. This should be used in any environments where containers should not have access to the instance's metadata.