Forward Proxy & Certificate Rotation (#325)

gambol99 · web-flow · commit fef004d56126 · 2018-03-04T17:29:22.000Z
- adding prometheus metrics for the forwarding proxy and the certificate rotation
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 
 FEATURES:
 * Added a --enable-default-deny option to make denial by default [#PR320](https://github.com/gambol99/keycloak-proxy/pull/320)
+* Added metrics latency metrics for the forwarding proxy and the certificate rotation [#PR325](https://github.com/gambol99/keycloak-proxy/pull/325)
 * Added spelling check to the tests [#PR322](https://github.com/gambol99/keycloak-proxy/pull/322)
 * Added the X-Auth-Audience to the upstream headers [#PR319](https://github.com/gambol99/keycloak-proxy/pull/319)
 * Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration [#PR315](https://github.com/gambol99/keycloak-proxy/pull/315)
diff --git a/doc.go b/doc.go
@@ -75,6 +75,12 @@ const (
 )
 
 var (
+	certificateRotationMetric = prometheus.NewCounter(
+		prometheus.CounterOpts{
+			Name: "proxy_certificate_rotation_total",
+			Help: "The total amount of times the certificate has been rotated",
+		},
+	)
 	oauthTokensMetric = prometheus.NewCounterVec(
 		prometheus.CounterOpts{
 			Name: "proxy_oauth_tokens_total",
diff --git a/forwarding.go b/forwarding.go
@@ -205,8 +205,8 @@ func (r *oauthProxy) forwardProxyHandler() func(*http.Request, *http.Response) {
 		req.URL.Host = hostname
 		// is the host being signed?
 		if len(r.config.ForwardingDomains) == 0 || containsSubString(hostname, r.config.ForwardingDomains) {
-			req.Header.Set("X-Forwarded-Agent", prog)
 			req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", state.token.Encode()))
+			req.Header.Set("X-Forwarded-Agent", prog)
 		}
 	}
 }
diff --git a/rotation.go b/rotation.go
@@ -89,6 +89,8 @@ func (c *certificationRotation) watch() error {
 							zap.String("filename", event.Name),
 							zap.Error(err))
 					}
+					// @metric inform of the rotation
+					certificateRotationMetric.Inc()
 					// step: load the new certificate
 					c.storeCertificate(certificate)
 					// step: print a debug message for us
diff --git a/server.go b/server.go
@@ -66,6 +66,7 @@ func init() {
 	time.LoadLocation("UTC")             // ensure all time is in UTC
 	runtime.GOMAXPROCS(runtime.NumCPU()) // set the core
 	// @step: register the instrumentation
+	prometheus.MustRegister(certificateRotationMetric)
 	prometheus.MustRegister(latencyMetric)
 	prometheus.MustRegister(oauthLatencyMetric)
 	prometheus.MustRegister(oauthTokensMetric)
@@ -308,6 +309,7 @@ func (r *oauthProxy) createForwardingProxy() error {
 		if resp != nil && r.config.EnableLogging {
 			start := ctx.UserData.(time.Time)
 			latency := time.Since(start)
+			latencyMetric.Observe(latency.Seconds())
 			r.log.Info("client request",
 				zap.String("method", resp.Request.Method),
 				zap.String("path", resp.Request.URL.Path),

Original file line number	Diff line number	Diff line change
`@@ -205,8 +205,8 @@ func (r oauthProxy) forwardProxyHandler() func(http.Request, *http.Response) {`
`205`	`205`	`req.URL.Host = hostname`
`206`	`206`	`// is the host being signed?`
`207`	`207`	`if len(r.config.ForwardingDomains) == 0 \|\| containsSubString(hostname, r.config.ForwardingDomains) {`
`208`		`- req.Header.Set("X-Forwarded-Agent", prog)`
`209`	`208`	`req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", state.token.Encode()))`
	`209`	`+ req.Header.Set("X-Forwarded-Agent", prog)`
`210`	`210`	`}`
`211`	`211`	`}`
`212`	`212`	`}`
Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,8 @@ func (c *certificationRotation) watch() error {`
`89`	`89`	`zap.String("filename", event.Name),`
`90`	`90`	`zap.Error(err))`
`91`	`91`	`}`
	`92`	`+ // @metric inform of the rotation`
	`93`	`+ certificateRotationMetric.Inc()`
`92`	`94`	`// step: load the new certificate`
`93`	`95`	`c.storeCertificate(certificate)`
`94`	`96`	`// step: print a debug message for us`