Request Filtering for forwarding¶
By default, the Gateway is configured to forward every requests to Elasticsearch. It uses a punchlet which accept every requests.
The configuration file of the gateway can be modified to forbid some requests with another punchlet.
Configuration¶
-
enabled: BooleanEnable forwarding feature
-
punchlet: StringProtocol and path to the punchlet Two protocols are supported :
file://: to get punchlet from filesystemppresource://: to get punchlet from Punch resources manager -
reload: StringCron to schedule punchlet refresh
-
allow_if_missing: Boolean (default : false)Allow or forbid all forwarding requests
Example¶
forwarding:
enabled: true
punchlet: ppresource://punchlet/forwarding.punchlet
reload : "0 * * * * *"
Requirements¶
Input sent to the punchlet¶
The punchlet configured receives some request informations :
{
"request": {
"headers": {
"host": "localhost:4242",
"connection": "keep-alive",
"cache-control": "no-cache",
"accept-encoding": "gzip, deflate, br",
"user-agent": "PostmanRuntime/7.24.1",
},
"method": "GET",
"url": "/v1/mytenant/es/es_search/my_index*"
},
"tenant": "mytenant",
"metrics": {
"node" : {
"localhost:9200": {
...
}
},
"shard": {
"localhost:9200": {
...
}
}
}
}
-
request.headers:Map containing all request headers
-
request.method:HTTP Method of the request
-
request.url:URL of the request
-
tenant:Tenant name
-
metrics.nodeElasticsearch node metrics for each node configured in the gateway configuration file.
-
metrics.shardElasticsearch shard metrics for each node configured in the gateway configuration file.
Returned data¶
The punchlet has to return at least two fields :
-
allow: BooleanRequest will be forwarded or not
-
reason: String : "Forbidden request"Reason why the request has been forbidden.
Example¶
{
// Our punchlet intelligence
...
// Our result
[allow] = false;
[reason] = "Wildcard in url"
}