Fredrik Adelöw
171 lines
6.5 KiB
TypeScript
171 lines
6.5 KiB
TypeScript
/*
|
|
* Copyright 2020 The Backstage Authors
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
export interface Config {
|
|
proxy?: {
|
|
/**
|
|
* Rather than failing to start up, the proxy backend will instead just warn on invalid endpoints.
|
|
*/
|
|
skipInvalidProxies?: boolean;
|
|
|
|
/**
|
|
* Revive request bodies that have already been consumed by earlier middleware.
|
|
*/
|
|
reviveConsumedRequestBodies?: boolean;
|
|
|
|
/**
|
|
* A list of forwarding-proxies. Each key is a route to match,
|
|
* below the prefix that the proxy plugin is mounted on. It must
|
|
* start with a '/'.
|
|
*/
|
|
endpoints?: {
|
|
[key: string]:
|
|
| string
|
|
| {
|
|
/**
|
|
* Target of the proxy. Url string to be parsed with the url module.
|
|
*/
|
|
target: string;
|
|
/**
|
|
* Object with extra headers to be added to target requests.
|
|
*/
|
|
headers?: {
|
|
/** @visibility secret */
|
|
Authorization?: string;
|
|
/** @visibility secret */
|
|
authorization?: string;
|
|
/** @visibility secret */
|
|
'X-Api-Key'?: string;
|
|
/** @visibility secret */
|
|
'x-api-key'?: string;
|
|
[key: string]: string | undefined;
|
|
};
|
|
/**
|
|
* Changes the origin of the host header to the target URL. Default: true.
|
|
*/
|
|
changeOrigin?: boolean;
|
|
/**
|
|
* Rewrite target's url path. Object-keys will be used as RegExp to match paths.
|
|
* If pathRewrite is not specified, it is set to a single rewrite that removes the entire prefix and route.
|
|
*/
|
|
pathRewrite?: { [regexp: string]: string };
|
|
/**
|
|
* Limit the forwarded HTTP methods, for example allowedMethods: ['GET'] to enforce read-only access.
|
|
*/
|
|
allowedMethods?: string[];
|
|
/**
|
|
* Limit the forwarded HTTP methods. By default, only the headers that are considered safe for CORS
|
|
* and headers that are set by the proxy will be forwarded.
|
|
*/
|
|
allowedHeaders?: string[];
|
|
/**
|
|
* The credentials policy to apply.
|
|
*
|
|
* @remarks
|
|
*
|
|
* The values are as follows:
|
|
*
|
|
* - 'require': Callers must provide Backstage user or service
|
|
* credentials with each request. The credentials are not
|
|
* forwarded to the proxy target.
|
|
* - 'forward': Callers must provide Backstage user or service
|
|
* credentials with each request, and those credentials are
|
|
* forwarded to the proxy target.
|
|
* - 'dangerously-allow-unauthenticated': No Backstage credentials
|
|
* are required to access this proxy target. The target can still
|
|
* apply its own credentials checks, but the proxy will not help
|
|
* block non-Backstage-blessed callers.
|
|
*/
|
|
credentials?:
|
|
| 'require'
|
|
| 'forward'
|
|
| 'dangerously-allow-unauthenticated';
|
|
};
|
|
};
|
|
} & {
|
|
/**
|
|
* This was the legacy way of expressing proxies, and is now deprecated. We
|
|
* keep it around in the config schema, to ensure that legacy setups still
|
|
* have properly secret-marked values so that they get redacted.
|
|
*
|
|
* TODO(freben): Remove this in the future (suggestion: after 2024-03-01)
|
|
* when people likely have moved off of this format.
|
|
*/
|
|
[key: string]:
|
|
| string
|
|
| {
|
|
/**
|
|
* Target of the proxy. Url string to be parsed with the url module.
|
|
*/
|
|
target: string;
|
|
/**
|
|
* Object with extra headers to be added to target requests.
|
|
*/
|
|
headers?: {
|
|
/** @visibility secret */
|
|
Authorization?: string;
|
|
/** @visibility secret */
|
|
authorization?: string;
|
|
/** @visibility secret */
|
|
'X-Api-Key'?: string;
|
|
/** @visibility secret */
|
|
'x-api-key'?: string;
|
|
[key: string]: string | undefined;
|
|
};
|
|
/**
|
|
* Changes the origin of the host header to the target URL. Default: true.
|
|
*/
|
|
changeOrigin?: boolean;
|
|
/**
|
|
* Rewrite target's url path. Object-keys will be used as RegExp to match paths.
|
|
* If pathRewrite is not specified, it is set to a single rewrite that removes the entire prefix and route.
|
|
*/
|
|
pathRewrite?: { [regexp: string]: string };
|
|
/**
|
|
* Limit the forwarded HTTP methods, for example allowedMethods: ['GET'] to enforce read-only access.
|
|
*/
|
|
allowedMethods?: string[];
|
|
/**
|
|
* Limit the forwarded HTTP methods. By default, only the headers that are considered safe for CORS
|
|
* and headers that are set by the proxy will be forwarded.
|
|
*/
|
|
allowedHeaders?: string[];
|
|
/**
|
|
* The credentials policy to apply.
|
|
*
|
|
* @remarks
|
|
*
|
|
* The values are as follows:
|
|
*
|
|
* - 'require': Callers must provide Backstage user or service
|
|
* credentials with each request. The credentials are not
|
|
* forwarded to the proxy target.
|
|
* - 'forward': Callers must provide Backstage user or service
|
|
* credentials with each request, and those credentials are
|
|
* forwarded to the proxy target.
|
|
* - 'dangerously-allow-unauthenticated': No Backstage credentials
|
|
* are required to access this proxy target. The target can still
|
|
* apply its own credentials checks, but the proxy will not help
|
|
* block non-Backstage-blessed callers.
|
|
*/
|
|
credentials?:
|
|
| 'require'
|
|
| 'forward'
|
|
| 'dangerously-allow-unauthenticated';
|
|
};
|
|
};
|
|
}
|