How to broker HTTP requests to different hosts from single proxy

Secretless Broker
1

Apps using secretless to broker HTTP connections obviously can only have the single HTTP proxy that points to the listening secretless container. In situations where apps make multiple, authenticated HTTP request to different hosts — requiring different headers — how do I specify a unique HTTP configuration in secretless that is used depending on the URL it matches on?

2

Hi Jason,

I believe this is done using different ports. An example secretless.yml is provided below that is configured to support 2 different endpoints:

version: "2"
services:
  http_basic_auth:
    connector: basic_auth
    listenOn: tcp://0.0.0.0:8080
    credentials:
      username: automation
      password:
        from: env
        get: BASIC_AUTH_PASSWORD
    config:
      authenticateURLsMatching:
        - .*
  http_basic_auth_2:
    connector: basic_auth
    listenOn: tcp://0.0.0.0:8081
    credentials:
      username: service2Username
      password:
        from: env
        get: SERVICE_2_USERNAME
    config:
      authenticateURLsMatching:
        - .*

so curl http://localhost:8080 will use username automation and password env(BASIC_AUTH_PASSWORD).
curl https://localhost:8081 will use username service2Username and password env(SERVICE_2_USERNAME)

Hopefully that answers you question.

Regards,
Andrew

3

@AndrewCopeland Thanks for replying – this was originally my question that I had asked @jgarabedian who kindly posted it on my behalf.

The issue I’m encountering is not defining multiple connectors, but how to communicate to the application how to reach them. Currently, a single environment variable of “http_proxy” is added to the container during creation that tells it how to find secretless’ http connector:

- name: http_proxy
  value: "http://localhost:8080"

Since all HTTP requests will be proxied to that port, additional connectors listening on different ports would never be used. If the only solution at this time is to modify the application code to make requests to different hosts/ports under different circumstances, we will begin investigating that more invasive option.

Thanks again for your help.

4

@jburns Thank you for providing more information regarding this situation.

I am not extremely well versed in Secretless and I think having some of the devs chime in would reap huge benefits.

I’ll send out a ping to them.

Regards,
Andrew

5

Hi @jgarabedian,

I have confirmed that the following config should work for your use case:

  • It uses a single http_proxy=http://localhost:8080 setting so that you don’t need multiple “http_proxy” configurations.
  • It provides ClientSecret: 8888 only header only to requests to http(s)://localhost:8888
  • It provides ClientSecret2: 9999 only header only to requests to http(s)://localhost:9999
  • It does not provide any headers to hosts that do not match the two endpoints mentioned above.
version: 2
services:

  connector-1:
    connector: generic_http
    listenOn: tcp://0.0.0.0:8080
    credentials:
      jwtToken:
        from: literal
        get: "8888 only"
    config:
      headers:
        ClientSecret: "{{ .jwtToken }}"
      forceSSL: false
      authenticateURLsMatching:
        - ^http[s]?://localhost:8888/.*

  connector-2:
    connector: generic_http
    listenOn: tcp://0.0.0.0:8080
    credentials:
      jwtToken:
        from: literal
        get: "9999 only"
    config:
      headers:
        ClientSecret2: "{{ .jwtToken }}"
      forceSSL: false
      authenticateURLsMatching:
        - ^http[s]?://localhost:9999/.*

Let us know if that answers your question.

1 Like