diff --git a/content/guides/otoroshi.md b/content/guides/otoroshi.md new file mode 100644 index 000000000..87c5f8578 --- /dev/null +++ b/content/guides/otoroshi.md @@ -0,0 +1,304 @@ +--- +type: docs +linkTitle: Otoroshi Advanced Features +title: Otoroshi Advanced Features Guide +description: Configure and use Otoroshi advanced features including WAF, Reverse Proxy, Rate Limiting, and Canary Deployments with detailed tutorials and best practices +keywords: +- otoroshi +- api gateway +- waf +- reverse proxy +- canary deployment +- rate limiting +- load balancing +--- + +Otoroshi is a modern API Gateway that provides powerful features to secure, manage, and optimize your services. + +This guide covers the main features tested and validated for deployment on Clever Cloud. + +--- + +## WAF (Web Application Firewall) + +Otoroshi integrates **Coraza**, an open-source WAF compatible with ModSecurity rules and compliant with OWASP recommendations. It filters and blocks malicious requests before they reach your applications. + +### Configuration + +#### Step 1: Create a WAF Item + +1. Navigate to **Categories β†’ WAF β†’ WAF Config** +2. Click **Add item** +3. Add your security directives + +#### Example Directives + +``` +SecRuleEngine On +SecRule REQUEST_HEADERS:X-Forwarded-For "@rx " "id:1001,deny,status:403,log,msg:'IP bloquee'" +``` + +**Directive Explanations:** + +- **`SecRuleEngine On`** : Enables the Coraza rules engine. Without this directive, no rules are evaluated +- **`SecRule REQUEST_HEADERS:X-Forwarded-For`** : Rule applied in phase 1 (header analysis) that reads the real client IP from the `X-Forwarded-For` header, required because requests go through Clever Cloud load balancers +- **`@rx `** : Regex operator that matches the header value against the provided IPv4 address +- **`id:1001`** : Mandatory unique identifier for the rule +- **`phase:1`** : Evaluation during the header analysis phase, before request body processing +- **`deny`** : Disruptive action that rejects the request +- **`status:403`** : HTTP status code returned to the blocked client +- **`log`** : Records the event in the logs +- **`msg:'IP blocked'`** : Message associated with the event in the logs + +**Further Reading:** +- πŸ“– [Coraza SecLang Documentation](https://coraza.io/docs/seclang/) β€” Full reference for all directives, operators, variables and actions +- πŸ›‘οΈ [OWASP Core Rule Set with Coraza](https://coraza.io/docs/tutorials/coreruleset/) β€” How to enable and configure the OWASP CRS for broader WAF protection + +{{< callout type="warning" >}} +**Important** : Each directive must be on a **separate line** in the directives field. Mixing multiple directives in a single entry will cause a WASM runtime crash and may lead to Out of Memory errors on your Otoroshi instance. +{{< /callout >}} + +{{< callout type="info" >}} +**Note** : Using `REQUEST_HEADERS:X-Forwarded-For` instead of `REMOTE_ADDR` is mandatory behind a load balancer. `REMOTE_ADDR` would contain the load balancer's IP address instead of the real client IP. + +Additionally, **IPv4 addresses are required**. IPv6 addresses are not reliably supported by the Coraza WASM module embedded in Otoroshi. Use `curl -4 ifconfig.io` to retrieve your IPv4 address. +{{< /callout >}} + +#### Step 2: Create and Configure a Route + +1. Navigate to **Shortcuts β†’ Routes β†’ Create new route** +2. Configure the **Frontend** (public entry point): + - Public URL used by your clients (set on Otoroshi addon) +3. Configure the **Backend** (actual service): + - Internal URL of your application that will process requests (set on your application) +4. Add the **WAF** in the "Plugins" section + +{{< callout type="info" >}} +The frontend DNS must point to Otoroshi, not directly to your application. The backend URL is used by Otoroshi to proxy requests after applying WAF rules. +{{< /callout >}} + +--- + +## Reverse Proxy + +### Overview + +Otoroshi natively supports multiple protocols: + +- **HTTP/HTTPS**: Standard web requests +- **TCP**: Raw TCP connections (databases, custom services) +- **gRPC**: Modern RPC protocol based on HTTP/2 + +### Configuring a Simple Reverse Proxy + +Otoroshi's versatile protocol support allows it to act as a reverse proxy for various types of services: + +1. **Create a route** in Otoroshi +2. **Configure the Frontend**: + - Public hostname, port, and path (set on Otoroshi addon) +3. **Configure the Backend**: + - IP + port or URL of your actual service (set on your application) + +Otoroshi intercepts incoming requests, applies your rules (security, rate limiting, etc.), and forwards them to the backend. + +**Use Cases:** +- Proxy HTTP/HTTPS requests to web applications +- Forward TCP connections to databases or custom services +- Route gRPC calls to microservices + +### Frontend vs Backend + +**Frontend**: The public entry point that clients use to access your service. This is the URL your users will call. + +**Backend**: The actual internal address of your application/service that processes requests. Otoroshi proxies requests to this address after filtering through WAF and other plugins. + +{{< callout type="info" >}} +Your DNS must point the frontend domain to Otoroshi, not to your backend application. The backend URL is used internally by Otoroshi to forward filtered traffic. +{{< /callout >}} + +--- + +## Rate Limiting & Custom Quotas + +### Overview + +Rate limiting protects your services from abuse by controlling the number of requests allowed per time period. Otoroshi provides flexible quota management based on various criteria. + +### Implementation + +To limit the number of requests per IP or per user: + +1. Navigate to your route's configuration +2. Add the **"Custom quotas"** plugin in the "Plugins" section +3. Configure the following parameters: + - **Quota**: Number of authorized requests + - **Period**: Time window (per second, minute, hour, day) + - **Criteria**: IP address, API key, user, etc. + +**Common Use Cases:** +- Protect your APIs against abuse and brute force attacks +- Manage differentiated quotas for commercial tiers +- Mitigate DDoS attempts +- Implement fair usage policies (free vs paid tiers) + +### Configuration Example + +```json +{ + "throttling_quota": "1000", + "throttling_period": "3600", + "throttling_by": "ip" +} +``` + +This configuration allows **1000 requests per hour per IP address**. + +### Additional Options + +You can customize rate limiting based on: +- **IP address**: Limit per visitor +- **API key**: Different quotas per client +- **User**: Authenticated user limits +- **Custom header**: Advanced filtering + +--- + +## Canary Deployments + +Canary mode allows you to test a new version of your application on a percentage of traffic before a complete deployment. This technique reduces risk by gradually exposing new code to production users. + +### Method 1: Route-Level Configuration with Plugin (Recommended) + +This method provides more granular control and is easier to configure for single routes. + +#### Configuration Steps + +1. **Create a new route** +2. **Select the "Canary Mode" plugin** +3. **Configure the following parameters**: + - **Frontend**: Public URL (set on Otoroshi addon) + - **Canary mode**: + - **Traffic**: 0.2 for 20% redirection to canary (or 0.5 for 50%) + - **Targets**: + - Hostname: `app-canary.cleverapps.io` + - Port: `443` + - Weight: `1` + - **Backend**: Stable application URL (e.g., `app-stable.cleverapps.io`) + +#### Complete Test Script + +```sh +#!/bin/bash + +echo "=== Otoroshi Canary Mode Test ===" +echo "Date: $(date)" +echo "" + +STABLE=0 +CANARY=0 +UNKNOWN=0 + +# Replace with your actual Otoroshi frontend URL +FRONTEND_URL="http://myapp.mydomain.com" + +for i in {1..100}; do + RESPONSE=$(curl -L -s "$FRONTEND_URL") + + if echo "$RESPONSE" | grep -q "STABLE"; then + ((STABLE++)) + elif echo "$RESPONSE" | grep -q "CANARY"; then + ((CANARY++)) + else + ((UNKNOWN++)) + fi + + echo -n "." +done + +echo "" +echo "" +echo "Results over 100 requests:" +echo " β†’ Stable: $STABLE" +echo " β†’ Canary: $CANARY" +echo " β†’ Unknown: $UNKNOWN" +echo "" + +PERCENT_CANARY=$((CANARY)) +echo "Canary rate: ${PERCENT_CANARY}%" +``` + +#### Expected Results + +- Traffic at **0.2** (20%): ~20% to CANARY, ~80% to STABLE +- Traffic at **0.5** (50%): ~50% to CANARY, ~50% to STABLE + +{{< callout type="warning" >}} +Always monitor error rates and latency when testing canary deployments. Start with a low percentage (5-10%) and gradually increase if metrics remain healthy. +{{< /callout >}} + +--- + +### Method 2: Service-Level Configuration + +This method is useful for managing multiple routes with the same canary configuration. + +#### Configuration Steps + +1. **Create a new Service**: + ``` + Name: "My Service" + Description: "Service with Canary" + ``` + +2. **Service Exposition Settings**: + ``` + Exposed domain: myapp.mydomain.com + Legacy domain: true + Strip path: true + ``` + +3. **Service Targets**: + ``` + Load balancing: WeightBestResponseTime + Weight ratio: 0.2 + + Target 1: app-stable.cleverapps.io (STABLE) + Target 2: app-canary.cleverapps.io (CANARY) + ``` + +4. **URL Patterns**: + ``` + Public patterns: "/.*" + ``` + +#### Testing + +```sh +# Replace with your actual frontend URL +out=$(for i in {1..200}; do curl -s https://myapp.mydomain.com | grep Version; done); +echo "CANARY: $(echo "$out" | grep -c CANARY)" +echo "STABLE: $(echo "$out" | grep -c STABLE)" +``` + +Expected Result: ~40 requests to CANARY, ~160 to STABLE (20/80 ratio) +{{< callout type=β€œinfo” >}} +Traffic Flow: Client β†’ your-domain.com β†’ Otoroshi β†’ { stable / canary } +{{< /callout >}} + +### Load Balancing Strategies + +When using canary deployments, you can choose from several load balancing algorithms: +- WeightBestResponseTime: Routes traffic based on response time and weights +- RoundRobin: Distributes requests evenly across targets +- Random: Randomly selects a target for each request +- IpAddressHash: Routes based on client IP (sticky sessions) + +--- +## Resources + +- Official Otoroshi Documentation : https://maif.github.io/otoroshi/ +- Clever Cloud Documentation : https://www.clever.cloud/developers/doc/ +- OWASP ModSecurity Core Rule Set : https://owasp.org/www-project-modsecurity-core-rule-set/ +- Coraza WAF Documentation : https://coraza.io/ +- API Gateway Patterns : https://microservices.io/patterns/apigateway.html +