examples: add spa.yml for single page application examples

2025-04-28 17:25:49 +02:00
parent e49c4ae72f
commit 6db839e23f
3 changed files with 109 additions and 1 deletions
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@@ -44,6 +44,15 @@ local Build(mirror, go, alpine, os, arch) = {
                "./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/generic.yml --policy-snippets examples/snippets/"
            ],
        },
+        {
+            name: "check-policy-spa",
+            image: "alpine:" + alpine,
+            mirror: mirror,
+            depends_on: ["build"],
+            commands: [
+                "./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80 --policy examples/spa.yml --policy-snippets examples/snippets/"
+            ],
+        },
        {
            name: "test-wasm-success",
            image: "alpine:" + alpine,
--- a/.drone.yml
+++ b/.drone.yml
@@ -35,6 +35,14 @@ steps:
  image: alpine:3.21
  mirror: https://mirror.gcr.io
  name: check-policy-generic
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/spa.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: check-policy-spa
 - commands:
  - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
    -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
@@ -95,6 +103,14 @@ steps:
  image: alpine:3.21
  mirror: https://mirror.gcr.io
  name: check-policy-generic
+- commands:
+  - ./.bin/go-away --check --slog-level DEBUG --backend example.com=http://127.0.0.1:80
+    --policy examples/spa.yml --policy-snippets examples/snippets/
+  depends_on:
+  - build
+  image: alpine:3.21
+  mirror: https://mirror.gcr.io
+  name: check-policy-spa
 - commands:
  - ./.bin/test-wasm-runtime -wasm ./embed/challenge/js-pow-sha256/runtime/runtime.wasm
    -make-challenge ./embed/challenge/js-pow-sha256/test/make-challenge.json -make-challenge-out
@@ -408,6 +424,6 @@ trigger:
 type: docker
 ---
 kind: signature
-hmac: 7d15ec708707d96b5741471555875d0001b84da74a7688baf0bae6fea0dbf138
+hmac: 6eab8ae9773b048e780db2bf9d440095eb5615d0baf8da71878069ad7124e167

 ...
--- a/examples/spa.yml
+++ b/examples/spa.yml
@@ -0,0 +1,83 @@
+# Example cmdline (forward requests from upstream to port :8080)
+# $ go-away --bind :8080 --backend site.example.com=http://site:3000 --policy examples/spa.yml --policy-snippets example/snippets/ --challenge-template anubis
+
+
+
+# Define networks to be used later below
+networks:
+  # Networks will get included from snippets
+
+
+challenges:
+  # Challenges will get included from snippets
+  
+conditions:
+  # Conditions will get replaced on rules AST when found as ($condition-name)
+
+
+  is-static-asset:
+    - 'path == "/apple-touch-icon.png"'
+    - 'path == "/apple-touch-icon-precomposed.png"'
+    - 'path.matches("\\.(manifest|ttf|woff|woff2|jpg|jpeg|gif|png|webp|avif|svg|mp4|webm|css|js|mjs|wasm)$")'
+    # Add other paths where you have static assets
+    # - 'path.startsWith("/static/") || path.startsWith("/assets/")'
+
+
+# Rules are checked sequentially in order, from top to bottom
+rules:
+  - name: allow-well-known-resources
+    conditions:
+      - '($is-well-known-asset)'
+    action: pass
+
+  - name: allow-static-resources
+    conditions:
+      - '($is-static-asset)'
+    action: pass
+
+  - name: unknown-crawlers
+    conditions:
+      # No user agent set
+      - 'userAgent == ""'
+    action: deny
+
+  # Enable fetching OpenGraph and other tags from backend on index
+  - name: enable-meta-tags
+    action: context
+    conditions:
+      - 'path == "/" || path == "/index.html"'
+    settings:
+      context-set:
+        # Map OpenGraph or similar <meta> tags back to the reply, even if denied/challenged
+        proxy-meta-tags: "true"
+
+  # Challenge incoming visitors so challenge is remembered on api endpoints
+  # API requests will have this challenge stored
+  - name: index
+    conditions:
+      - 'path == "/" || path == "/index.html"'
+    settings:
+      challenges: [ preload-link, meta-refresh, resource-load, js-pow-sha256 ]
+    action: challenge
+
+  # Allow PUT/DELETE/PATCH/POST requests in general
+  - name: non-get-request
+    action: pass
+    conditions:
+      - '!(method == "HEAD" || method == "GET")'
+
+  # Challenge rest of endpoints (SPA API etc.)
+  # Above rule on index ensures clients have passed a challenge beforehand
+  - name: standard-browser
+    action: challenge
+    settings:
+      challenges: [ preload-link, meta-refresh, resource-load, js-pow-sha256 ]
+    conditions:
+      - '($is-generic-browser)'
+
+  - name: other-fetchers
+    action: challenge
+    settings:
+      challenges: [ cookie ]
+    conditions:
+      - '!($is-generic-browser)'