a simple 12Mb file takes 1.6 sec to upload with reproxy

With reproxy:

time curl -X POST "http://localhost/api/upload" -H  "accept: application/json" -H  "Content-Type: multipart/form-data" -F "[email protected]"

0.01s user 0.01s system 1% cpu 1.614 total

without :

time curl -X POST "http://localhost:8000/api/upload" -H  "accept: application/json" -H  "Content-Type: multipart/form-data" -F "[email protected]"

0.00s user 0.01s system 29% cpu 0.062 total

conf:

  reproxy:
    image: umputun/reproxy:master
    container_name: reproxy
    hostname: reproxy
    ports:
      - "80:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./files/static:/static
    environment:
      - LISTEN=0.0.0.0:8080
      - DOCKER_ENABLED=true
      - DEBUG=true
      - MAX_SIZE=20000000

Is it possible to make some mapping like this:

- site1.com/api/    ---> docker.container1
- site1.com/static/ ---> static path /var/www/staticfolder1
- site2.com/api/    ---> docker.container2
- site2.com/static/ ---> /var/www/anotherfolder

It looks like certain tests that rely on short timings may occasionally fail. This is coming from downstream NixOS CI, and in this case on macOS: https://hydra.nixos.org/build/143298376/log

But I was unable to reproduce this locally on macOS, either in a normal build or in a build using Nix. I'm guessing it's a matter of tight tolerances and busy CI machine, maybe?

Do you think it's safe to ignore these failures?

I want to add

Access-Control-Allow-Headers:DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type

but in response I got

Access-Control-Allow-Headers:DNT

if I specify

Access-Control-Allow-Headers:"DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type"

I got Access-Control-Allow-Headers:"DNT

for Access-Control-Allow-Headers:'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'

I got Access-Control-Allow-Headers:'DNT

This can be useful, and won't add much complexity. The throttler should be able to limit the total number of concurrent requests per reproxy server as well as per proxy destination. Not sure if limiting per destination server (virtual host) needed.

It also should be able to limit req/sec per remote client for the same areas (total and destination).

re: https://github.com/umputun/reproxy/discussions/76

In some cases, one container may expose multiple endpoints, for example, public API and some admin API. They can be on different ports and the goal is to allow such functionality to be defined with docker provider (labels?)

I can think of two ways to implement it:

• add numeric suffix to reproxy.*.N, i.e. reproxy.server.1=example.com, reproxy.dest.1=blah and so on. This may increase the number of labels and could be ugly in extreme cases
• similar to the first approach but combine the rule in this style of static provider, i.e. reproxy.1=m.example.com,/api/(.*)./someplace/$1,/ping. This is harder to read but will minimize the number of labels

both approaches can be combined too, and the user can choose which one he likes better. The current labels should be supported too as we don't want to break compatibility for no good reason

if anyone has better ideas pls share

Just an idea - trying to minimize the number of third-party dependencies. The go-dockerclient seems to be a heavy one and brings a lot of transitive dependencies.

All we do with docker is just event listener and container's list. It would be nice to replace go-dockerclient with internal calls to docker api

When used on ARMv7 (odroid c1) all services works with exception of svc1 and svc2 that are based on amd64's hashicorp/http-echo. Probably it will be better to use a multi-platform http-echo image for svc1/svc2.

Example of the problem log:

# docker logs svc1
standard_init_linux.go:219: exec user process caused: exec format error

I researched for some other images and found teapow/http-echo which worked for me.

Example of docker-compose.yml insert:

  echo1:
    image: teapow/http-echo
    container_name: echo1
    hostname: echo1
    ports:
      - "9090:9090"
    environment:
      - SERVER_PORT=9090
      - ECHO_MESSAGE="teapow pong"
      - SERVER_DEBUG=true

test:

# curl http://localhost/api/echo1/
{
  "message": "\"teapow pong\""
}

I have tried to migrate one of my non-trivial configurations hosting multiple docker services with nginx-le proxy in front of this and with several static sites to reproxy. The good news - I was able to do most of it and the final configuration seems to be easier. No need for multiple configuration files (i.e. docker-compose + nginx configs) and generally the final compose readable and make sense.

However, I've run into some unexpected complexity and most of it was self-induced and hopefully can be addressed with relatively easy changes:

1. Mix of static rules and docker provider doesn't seem to work together. Not sure why, need to investigate
2. All of my destination containers needed reproxy.route: /(.*) and reproxy.dest: /@1 labels and this pair seems to be a good candidate for a new default
3. In order to allow the current label-less docker discovery I'm going to add a new bool parameter turning it on or off. Not sure which makes more sense as a default.
4. Some containers needed to handle multiple servers, i.e. blah.com and www.blah.com, but currently, only a single server name supported. Should be doable to support multiple servers
5. Attempt to serve fully static content with separate reproxy containers (see #12) worked, but looks a little bit odd. I'm not sure if I like it or maybe prefer some other approach
6. I had to set LISTEN=0.0.0.0:port to each reproxy container because the default is localhost:port. From safety/security POV it makes sense, but practically every reproxy container will have to have LISTEN define explicitly. Maybe this is the good thing, not sure
7. Additional reproxy servers (for static content) needed reproxy.enabled: y because the container itself sets it to false (see #16). This is logical (technically speaking) but unexpected and confusing in practice.

Main consideration is backward compatibility. example.com should be treated as an exact match, where possible. So current order is: exact host, regex host, * or ""

ASSETS_CACHE now sets only a Cache-control header for all static assets — images, CSS, scripts, and HTML. It would be useful at least to have an option to exclude HTML from the cache.

More obvious way - to add Expires header and an option to set it by MediaType.

I see index HTML pages served from the browser cache in the current configuration even after Hugo's rebuild - because max-age from Cache-control yet to be expired.

Before this change redirects didn't work because method Service.extendMapper didn't copy the value of URLMapper.RedirectType to the extended result.

To fix this we return the original URLMapper instead of creating a new one (it can also help to avoid similar bugs in the future). We can reuse URLMapper because it is passed by value.

Hi @umputun thanks for your work on reproxy.

Please consider this GitHub workflow for using trivy to identify security vulnerabilities in reproxy.

The action will run on commits to master and will identify any security issues identified by trivy against the docker image, it will use the config defined in the ./trivy.yaml for what it should do on the workflow execution. Currently, it is configured to identify Critical and High issues in the OS and Libraries.

You can set the exit code to 0 if you don't want the workflow to fail if it identifies vuln's.

Thanks, Damian.

There's a display error in your readme.md file:

The first two examples (static provider; automatic docker discovery) are truncated. May want to correct them. :-)

Keep up the good work!

1. Clone plugin repo to folder plugins with folder name as plugin package name git clone https://github.com/negasus/reproxy-brotli-plugin.git plugins/brotli

2. Remove go module files rm plugins/brotli/go.*

3. Generate app/proxy/plugins.go go run ./cmd/plugins

4. Vendoring go mod tidy go mod vendor

5. Done Run reproxy for test

It would be great if I can set (in config file) timeout and throttle for specific routes. For example I use exponential timeouts for login form to protect from brute force and I'd like to increase timeouts for this endpoint.

Hey!

Tried to set reproxy to listen on [::]:8080 (and :::8080 too) address but it doesn't want to start with some errors logged:

reproxy  | 2022/03/31 21:17:03.924 [INFO]  activate http proxy server on "[::]:8080"
reproxy  | 2022/03/31 21:17:03.925 [ERROR] proxy server failed, listen tcp: address "[::]:8080": too many colons in address
reproxy  | 2022/03/31 21:17:03.925 [ERROR] proxy server failed, listen tcp: address "[::]:8080": too many colons in address

Is IPv6 supported in reproxy? Could we implement if it isn't? Thanks!