summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.github/reviewers.yml3
-rw-r--r--.github/vyos-linter.py177
-rw-r--r--.github/workflows/auto-author-assign.yml21
-rw-r--r--.github/workflows/check-pr-conflicts.yml14
-rw-r--r--.github/workflows/lint-doc.yml10
-rw-r--r--.github/workflows/main.yml27
-rw-r--r--.github/workflows/pr-conflicts.yml19
-rw-r--r--CODEOWNERS2
-rw-r--r--docs/configuration/loadbalancing/reverse-proxy.rst12
9 files changed, 42 insertions, 243 deletions
diff --git a/.github/reviewers.yml b/.github/reviewers.yml
deleted file mode 100644
index 59342c56..00000000
--- a/.github/reviewers.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-'**/*':
- - rebortg
diff --git a/.github/vyos-linter.py b/.github/vyos-linter.py
deleted file mode 100644
index 3dc7c2fc..00000000
--- a/.github/vyos-linter.py
+++ /dev/null
@@ -1,177 +0,0 @@
-import os
-import re
-import ipaddress
-import sys
-import ast
-
-IPV4SEG = r'(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])'
-IPV4ADDR = r'\b(?:(?:' + IPV4SEG + r'\.){3,3}' + IPV4SEG + r')\b'
-IPV6SEG = r'(?:(?:[0-9a-fA-F]){1,4})'
-IPV6GROUPS = (
- r'(?:' + IPV6SEG + r':){7,7}' + IPV6SEG, # 1:2:3:4:5:6:7:8
- r'(?:\s' + IPV6SEG + r':){1,7}:', # 1:: 1:2:3:4:5:6:7::
- r'(?:' + IPV6SEG + r':){1,6}:' + IPV6SEG, # 1::8 1:2:3:4:5:6::8 1:2:3:4:5:6::8
- r'(?:' + IPV6SEG + r':){1,5}(?::' + IPV6SEG + r'){1,2}', # 1::7:8 1:2:3:4:5::7:8 1:2:3:4:5::8
- r'(?:' + IPV6SEG + r':){1,4}(?::' + IPV6SEG + r'){1,3}', # 1::6:7:8 1:2:3:4::6:7:8 1:2:3:4::8
- r'(?:' + IPV6SEG + r':){1,3}(?::' + IPV6SEG + r'){1,4}', # 1::5:6:7:8 1:2:3::5:6:7:8 1:2:3::8
- r'(?:' + IPV6SEG + r':){1,2}(?::' + IPV6SEG + r'){1,5}', # 1::4:5:6:7:8 1:2::4:5:6:7:8 1:2::8
- IPV6SEG + r':(?:(?::' + IPV6SEG + r'){1,6})', # 1::3:4:5:6:7:8 1::3:4:5:6:7:8 1::8
- r':(?:(?::' + IPV6SEG + r'){1,7}|:)', # ::2:3:4:5:6:7:8 ::2:3:4:5:6:7:8 ::8 ::
- r'fe80:(?::' + IPV6SEG + r'){0,4}%[0-9a-zA-Z]{1,}', # fe80::7:8%eth0 fe80::7:8%1 (link-local IPv6 addresses with zone index)
- r'::(?:ffff(?::0{1,4}){0,1}:){0,1}[^\s:]' + IPV4ADDR, # ::255.255.255.255 ::ffff:255.255.255.255 ::ffff:0:255.255.255.255 (IPv4-mapped IPv6 addresses and IPv4-translated addresses)
- r'(?:' + IPV6SEG + r':){1,4}:[^\s:]' + IPV4ADDR, # 2001:db8:3:4::192.0.2.33 64:ff9b::192.0.2.33 (IPv4-Embedded IPv6 Address)
-)
-IPV6ADDR = '|'.join(['(?:{})'.format(g) for g in IPV6GROUPS[::-1]]) # Reverse rows for greedy match
-
-MAC = r'([0-9A-F]{2}[:-]){5}([0-9A-F]{2})'
-
-NUMBER = r"([\s']\d+[\s'])"
-
-
-def lint_mac(cnt, line):
- mac = re.search(MAC, line, re.I)
- if mac is not None:
- mac = mac.group()
- u_mac = re.search(r'((00)[:-](53)([:-][0-9A-F]{2}){4})', mac, re.I)
- m_mac = re.search(r'((90)[:-](10)([:-][0-9A-F]{2}){4})', mac, re.I)
- if u_mac is None and m_mac is None:
- return (f"Use MAC reserved for Documentation (RFC7042): {mac}", cnt, 'error')
-
-
-def lint_ipv4(cnt, line):
- ip = re.search(IPV4ADDR, line, re.I)
- if ip is not None:
- ip = ipaddress.ip_address(ip.group().strip(' '))
- # https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address.is_private
- if ip.is_private:
- return None
- if ip.is_multicast:
- return None
- if ip.is_global is False:
- return None
- return (f"Use IPv4 reserved for Documentation (RFC 5737) or private Space: {ip}", cnt, 'error')
-
-
-def lint_ipv6(cnt, line):
- ip = re.search(IPV6ADDR, line, re.I)
- if ip is not None:
- ip = ipaddress.ip_address(ip.group().strip(' '))
- if ip.is_private:
- return None
- if ip.is_multicast:
- return None
- if ip.is_global is False:
- return None
- return (f"Use IPv6 reserved for Documentation (RFC 3849) or private Space: {ip}", cnt, 'error')
-
-
-def lint_AS(cnt, line):
- number = re.search(NUMBER, line, re.I)
- if number:
- pass
- # find a way to detect AS numbers
-
-
-def lint_linelen(cnt, line):
- line = line.rstrip()
- if len(line) > 80:
- return (f"Line too long: len={len(line)}", cnt, 'warning')
-
-def handle_file_action(filepath):
- errors = []
- try:
- with open(filepath) as fp:
- line = fp.readline()
- cnt = 1
- test_line_lenght = True
- start_vyoslinter = True
- indentation = 0
- while line:
- # search for ignore linter comments in lines
- if ".. stop_vyoslinter" in line:
- start_vyoslinter = False
- if ".. start_vyoslinter" in line:
- start_vyoslinter = True
- if start_vyoslinter:
- # ignore every '.. code-block::' for line lenght
- # rst code-block have its own style in html the format in rst
- # and the build page must be the same
- if test_line_lenght is False:
- if len(line) > indentation:
- #print(f"'{line}'")
- #print(indentation)
- if line[indentation].isspace() is False:
- test_line_lenght = True
-
- if ".. code-block::" in line:
- test_line_lenght = False
- indentation = 0
- for i in line:
- if i.isspace():
- indentation = indentation + 1
- else:
- break
-
- err_mac = lint_mac(cnt, line.strip())
- # disable mac detection for the moment, too many false positives
- err_mac = None
- err_ip4 = lint_ipv4(cnt, line.strip())
- err_ip6 = lint_ipv6(cnt, line.strip())
- if test_line_lenght:
- err_len = lint_linelen(cnt, line)
- else:
- err_len = None
- if err_mac:
- errors.append(err_mac)
- if err_ip4:
- errors.append(err_ip4)
- if err_ip6:
- errors.append(err_ip6)
- if err_len:
- errors.append(err_len)
-
- line = fp.readline()
- cnt += 1
-
- # ensure linter was not stop on top and forgot to tun on again
- if start_vyoslinter == False:
- errors.append((f"Don't forgett to turn linter back on", cnt, 'error'))
- finally:
- fp.close()
-
- if len(errors) > 0:
- '''
- "::{$type} file={$filename},line={$line},col=$column::{$log}"
- '''
- print(f"File: {filepath}")
- for error in errors:
- print(f"::{error[2]} file={filepath},line={error[1]}::{error[0]}")
- print('')
- return False
-
-
-def main():
- bool_error = True
- print('start')
- try:
- files = ast.literal_eval(sys.argv[1])
- for file in files:
- if file[-4:] in [".rst", ".txt"] and "_build" not in file:
- if handle_file_action(file) is False:
- bool_error = False
- except Exception as e:
- for root, dirs, files in os.walk("docs"):
- path = root.split(os.sep)
- for file in files:
- if file[-4:] in [".rst", ".txt"] and "_build" not in path:
- fpath = '/'.join(path)
- filepath = f"{fpath}/{file}"
- if handle_file_action(filepath) is False:
- bool_error = False
-
- return bool_error
-
-
-if __name__ == "__main__":
- if main() == False:
- exit(1)
diff --git a/.github/workflows/auto-author-assign.yml b/.github/workflows/auto-author-assign.yml
index 81134206..c3696ea4 100644
--- a/.github/workflows/auto-author-assign.yml
+++ b/.github/workflows/auto-author-assign.yml
@@ -3,25 +3,12 @@ on:
pull_request_target:
types: [opened, reopened, ready_for_review, locked]
+
permissions:
pull-requests: write
+ contents: read
jobs:
- # https://github.com/marketplace/actions/auto-author-assign
assign-author:
- runs-on: ubuntu-latest
- steps:
- - name: "Assign Author to PR"
- uses: toshimaru/auto-author-assign@v1.3.5
- with:
- repo-token: ${{ secrets.GITHUB_TOKEN }}
-
- # https://github.com/shufo/auto-assign-reviewer-by-files
- assign_reviewer:
- runs-on: ubuntu-latest
- steps:
- - name: Request review based on files changes and/or groups the author belongs to
- uses: shufo/auto-assign-reviewer-by-files@v1.1.1
- with:
- token: ${{ secrets.GITHUB_TOKEN }}
- config: .github/reviewers.yml
+ uses: vyos/.github/.github/workflows/assign-author.yml@feature/T6349-reusable-workflows
+ secrets: inherit
diff --git a/.github/workflows/check-pr-conflicts.yml b/.github/workflows/check-pr-conflicts.yml
new file mode 100644
index 00000000..0c659e6e
--- /dev/null
+++ b/.github/workflows/check-pr-conflicts.yml
@@ -0,0 +1,14 @@
+
+name: "PR Conflicts checker"
+on:
+ pull_request_target:
+ types: [synchronize]
+
+permissions:
+ pull-requests: write
+ contents: read
+
+jobs:
+ check-pr-conflict-call:
+ uses: vyos/.github/.github/workflows/check-pr-merge-conflict.yml@feature/T6349-reusable-workflows
+ secrets: inherit
diff --git a/.github/workflows/lint-doc.yml b/.github/workflows/lint-doc.yml
new file mode 100644
index 00000000..7f2f2099
--- /dev/null
+++ b/.github/workflows/lint-doc.yml
@@ -0,0 +1,10 @@
+name: Lint Doc
+on:
+ pull_request:
+
+jobs:
+ lint-doc:
+ uses: vyos/.github/.github/workflows/lint-doc.yml@feature/T6349-reusable-workflows
+ secrets: inherit
+
+
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
deleted file mode 100644
index 67556017..00000000
--- a/.github/workflows/main.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-name: Linting
-on:
- pull_request:
-
-jobs:
- lint:
- runs-on: ubuntu-latest
- steps:
- - name: Checkout
- uses: actions/checkout@v2
-
- - name: File Changes
- id: file_changes
- uses: trilom/file-changes-action@v1.2.3
-
- - name: Set up Python
- uses: actions/setup-python@v2
- with:
- python-version: '3.x'
-
- - name: run python based linter
- run: python .github/vyos-linter.py '${{ steps.file_changes.outputs.files_modified }}'
-
- env:
- GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-
-
diff --git a/.github/workflows/pr-conflicts.yml b/.github/workflows/pr-conflicts.yml
deleted file mode 100644
index 8f2db469..00000000
--- a/.github/workflows/pr-conflicts.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-name: "PR Conflicts checker"
-on:
- pull_request_target:
- types: [synchronize]
-
-jobs:
- Conflict_Check:
- name: 'Check PR status: conflicts and resolution'
- runs-on: ubuntu-22.04
- steps:
- - name: check if PRs are dirty
- uses: eps1lon/actions-label-merge-conflict@releases/2.x
- with:
- dirtyLabel: "state: conflict"
- removeOnDirtyLabel: "state: conflict resolved"
- repoToken: "${{ secrets.GITHUB_TOKEN }}"
- commentOnDirty: "This pull request has conflicts, please resolve those before we can evaluate the pull request."
- commentOnClean: "Conflicts have been resolved. A maintainer will review the pull request shortly."
-
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 00000000..fca42748
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1,2 @@
+* @vyos/reviewers
+* @rebortg \ No newline at end of file
diff --git a/docs/configuration/loadbalancing/reverse-proxy.rst b/docs/configuration/loadbalancing/reverse-proxy.rst
index 970e084e..044d2044 100644
--- a/docs/configuration/loadbalancing/reverse-proxy.rst
+++ b/docs/configuration/loadbalancing/reverse-proxy.rst
@@ -45,6 +45,11 @@ Service
Set SSL certificate <name> for service <name>
+.. cfgcmd:: set load-balancing reverse-proxy service <name>
+ http-response-headers <header-name> value <header-value>
+
+ Set custom HTTP headers to be included in all responses
+
Rules
^^^^^
@@ -155,6 +160,11 @@ Backend
Configure requests to the backend server to use SSL encryption without
validating server certificate
+.. cfgcmd:: set load-balancing reverse-proxy backend <name>
+ http-response-headers <header-name> value <header-value>
+
+ Set custom HTTP headers to be included in all responses using the backend
+
HTTP health check
^^^^^^^^^^^^^^^^^
@@ -291,6 +301,7 @@ HTTPS.
The ``https`` service listens on port 443 with backend ``bk-default`` to
handle HTTPS traffic. It uses certificate named ``cert`` for SSL termination.
+HSTS header is set with a 1-year expiry, to tell browsers to always use SSL for site.
Rule 10 matches requests with the exact URL path ``/.well-known/xxx``
and redirects to location ``/certs/``.
@@ -313,6 +324,7 @@ connection limit of 4000 and a minimum TLS version of 1.3.
set load-balancing reverse-proxy service https mode 'http'
set load-balancing reverse-proxy service https port '443'
set load-balancing reverse-proxy service https ssl certificate 'cert'
+ set load-balancing reverse-proxy service https http-response-headers Strict-Transport-Security value 'max-age=31536000'
set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'
set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/'