87 lines
2.5 KiB
YAML
87 lines
2.5 KiB
YAML
# Example cmdline (forward requests from upstream to port :8080)
|
|
# $ go-away --bind :8080 --backend site.example.com=http://site:3000 --policy examples/spa.yml --policy-snippets example/snippets/ --challenge-template anubis
|
|
|
|
|
|
|
|
# Define networks to be used later below
|
|
networks:
|
|
# Networks will get included from snippets
|
|
|
|
|
|
challenges:
|
|
# Challenges will get included from snippets
|
|
|
|
conditions:
|
|
# Conditions will get replaced on rules AST when found as ($condition-name)
|
|
|
|
|
|
is-static-asset:
|
|
- 'path == "/apple-touch-icon.png"'
|
|
- 'path == "/apple-touch-icon-precomposed.png"'
|
|
- 'path.matches("\\.(manifest|ttf|woff|woff2|jpg|jpeg|gif|png|webp|avif|svg|mp4|webm|css|js|mjs|wasm)$")'
|
|
# Add other paths where you have static assets
|
|
# - 'path.startsWith("/static/") || path.startsWith("/assets/")'
|
|
|
|
|
|
# Rules are checked sequentially in order, from top to bottom
|
|
rules:
|
|
- name: allow-well-known-resources
|
|
conditions:
|
|
- '($is-well-known-asset)'
|
|
action: pass
|
|
|
|
- name: allow-static-resources
|
|
conditions:
|
|
- '($is-static-asset)'
|
|
action: pass
|
|
|
|
- name: unknown-crawlers
|
|
conditions:
|
|
# No user agent set
|
|
- 'userAgent == ""'
|
|
action: deny
|
|
|
|
# Enable fetching OpenGraph and other tags from backend on index
|
|
- name: enable-meta-tags
|
|
action: context
|
|
conditions:
|
|
- 'path == "/" || path == "/index.html"'
|
|
settings:
|
|
context-set:
|
|
# Map OpenGraph or similar <meta> tags back to the reply, even if denied/challenged
|
|
proxy-meta-tags: "true"
|
|
|
|
# Challenge incoming visitors so challenge is remembered on api endpoints
|
|
# API requests will have this challenge stored
|
|
- name: index
|
|
conditions:
|
|
- 'path == "/" || path == "/index.html"'
|
|
settings:
|
|
challenges: [ preload-link, header-refresh ]
|
|
action: challenge
|
|
|
|
# Allow PUT/DELETE/PATCH/POST requests in general
|
|
- name: non-get-request
|
|
action: pass
|
|
conditions:
|
|
- '!(method == "HEAD" || method == "GET")'
|
|
|
|
# Challenge rest of endpoints (SPA API etc.)
|
|
# Above rule on index ensures clients have passed a challenge beforehand
|
|
- name: standard-browser
|
|
action: challenge
|
|
settings:
|
|
challenges: [ preload-link, header-refresh ]
|
|
# Fallback on cookie challenge
|
|
fail: challenge
|
|
fail-settings:
|
|
challenges: [ cookie ]
|
|
conditions:
|
|
- '($is-generic-browser)'
|
|
|
|
- name: other-fetchers
|
|
action: challenge
|
|
settings:
|
|
challenges: [ cookie ]
|
|
conditions:
|
|
- '!($is-generic-browser)' |