Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
github.com/zalando/skipper
Skipper is an HTTP router and reverse proxy for service composition. It's designed to handle >300k HTTP route definitions with detailed lookup conditions, and flexible augmentation of the request flow with filters. It can be used out of the box or extended with custom lookup, filter logic and configuration sources.
An overview of deployments and data-clients shows some use cases to run skipper.
Skipper
Skipper provides a default executable command with a few built-in filters. However, its primary use case is to be extended with custom filters, predicates or data sources. Go here for additional documentation.
A few examples for extending Skipper:
In order to build and run Skipper, only the latest version of Go needs to be installed. Skipper can use Innkeeper or Etcd as data sources for routes, or for the simplest cases, a local configuration file. See more details in the documentation: https://pkg.go.dev/github.com/zalando/skipper
Download binary tgz from https://github.com/zalando/skipper/releases/latest
Example, assumes that you have $GOBIN set to a directory that exists and is in your $PATH:
% curl -LO https://github.com/zalando/skipper/releases/download/v0.14.8/skipper-v0.14.8-linux-amd64.tar.gz
% tar xzf skipper-v0.14.8-linux-amd64.tar.gz
% mv skipper-v0.14.8-linux-amd64/* $GOBIN/
% skipper -version
Skipper version v0.14.8 (commit: 95057948, runtime: go1.19.1)
% git clone https://github.com/zalando/skipper.git
% make
% ./bin/skipper -version
Skipper version v0.14.8 (commit: 95057948, runtime: go1.19.3)
Create a file with a route:
echo 'hello: Path("/hello") -> "https://www.example.org"' > example.eskip
Optionally, verify the file's syntax:
eskip check example.eskip
If no errors are detected nothing is logged, else a descriptive error is logged.
Start Skipper and make an HTTP request:
skipper -routes-file example.eskip &
curl localhost:9090/hello
To run the latest Docker container:
docker run registry.opensource.zalan.do/teapot/skipper:latest
To run eskip
you first mount the .eskip
file, into the container, and run the command
docker run \
-v $(PWD)/doc-docker-intro.eskip:/doc-docker-intro.eskip \
registry.opensource.zalan.do/teapot/skipper:latest eskip print doc-docker-intro.eskip
To run skipper
you first mount the .eskip
file, into the container, expose the ports and run the command
docker run -it \
-v $(PWD)/doc-docker-intro.eskip:/doc-docker-intro.eskip \
-p 9090:9090 \
-p 9911:9911 \
registry.opensource.zalan.do/teapot/skipper:latest skipper -routes-file doc-docker-intro.eskip
Skipper will then be available on http://localhost:9090
Skipper can be used as an authentication proxy, to check incoming requests with Basic auth or an OAuth2 provider or an OpenID Connect provider including audit logging. See the documentation at: https://pkg.go.dev/github.com/zalando/skipper/filters/auth.
Getting the code with the test dependencies (-t
switch):
git clone https://github.com/zalando/skipper.git
cd skipper
Build and test all packages:
make deps
make install
make lint
make shortcheck
On Mac the tests may fail because of low max open file limit. Please make sure you have correct limits setup by following these instructions.
To run or debug skipper from IntelliJ IDEA or GoLand, you need to create this configuration:
Parameter | Value |
---|---|
Template | Go Build |
Run kind | Directory |
Directory | skipper source dir + /cmd/skipper |
Working directory | skipper source dir (usually the default) |
Skipper can be used to run as an Kubernetes Ingress controller. Details with examples of Skipper's capabilities and an overview you will can be found in our ingress-controller deployment docs.
For AWS integration, we provide an ingress controller https://github.com/zalando-incubator/kube-ingress-aws-controller, that manage ALBs or NLBs in front of your skipper deployment. A production example for skipper and a production example for kube-ingress-aws-controller, can be found in our Kubernetes configuration https://github.com/zalando-incubator/kubernetes-on-aws.
Skipper's Documentation and Godoc developer documentation, includes information about deployment use cases and detailed information on these topics:
The following example shows a skipper routes file in eskip format, that has 3 named routes: baidu, google and yandex.
% cat doc-1min-intro.eskip
baidu:
Path("/baidu")
-> setRequestHeader("Host", "www.baidu.com")
-> setPath("/s")
-> setQuery("wd", "godoc skipper")
-> "http://www.baidu.com";
google:
*
-> setPath("/search")
-> setQuery("q", "godoc skipper")
-> "https://www.google.com";
yandex:
* && Cookie("yandex", "true")
-> setPath("/search/")
-> setQuery("text", "godoc skipper")
-> tee("http://127.0.0.1:12345/")
-> "https://yandex.ru";
Matching the route:
Path()
matching to differentiate the HTTP requests to select the route.*
*
if you have a cookie yandex=true
Request Filters:
Run skipper with the routes file doc-1min-intro.eskip shown above
% skipper -routes-file doc-1min-intro.eskip
To test each route you can use curl:
% curl -v localhost:9090/baidu
% curl -v localhost:9090/
% curl -v --cookie "yandex=true" localhost:9090/
To see the shadow traffic request that is made by the tee()
filter you can use nc:
[terminal1]% nc -l 12345
[terminal2]% curl -v --cookie "yandex=true" localhost:9090/
This introduction was moved to ingress controller documentation.
For More details, please check out our Kubernetes ingress controller docs, our ingress usage and how to handle common backend problems in Kubernetes.
See https://github.com/zalando/skipper/blob/master/packaging/readme.md
In case you want to implement and link your own modules into your
skipper, there is https://github.com/skipper-plugins organization to
enable you to do so. In order to explain you the build process with
custom Go modules there is
https://github.com/skipper-plugins/skipper-tracing-build, that was
used to build skipper's opentracing package.
We moved the opentracing plugin source into the tracing
package, so
there is no need to use plugins for this case.
Because Go plugins are not very well supported by Go itself we do not recommend to use plugins, but you can extend skipper and build your own proxy.
User or developer questions can be asked in our public Google Group
We have a slack channel #skipper in gophers.slack.com. Get an invite. If for some reason this link doesn't work, you can find more information about the gophers communities here.
The preferred communication channel is the slack channel, because the google group is a manual process to add members. Feel also free to create an issue, if you dislike chat and post your questions there.
We do our proposals open in Skipper's Google drive. If you want to make a proposal feel free to create an issue and if it is a bigger change we will invite you to a document, such that we can work together.
Zalando used this project as shop frontend http router with 350000 routes. We use it as Kubernetes ingress controller in more than 100 production clusters. With every day traffic between 500k and 7M RPS serving 15000 ingress and 3750 RouteGroups at less than ยข5/1M requests. We also run several custom skipper instances that use skipper as library.
Sergio Ballesteros from spotahome said 2018:
We also ran tests with several ingress controllers and skipper gave us the more reliable results. Currently we are running skipper since almost 2 years with like 20K Ingress rules. The fact that skipper is written in go let us understand the code, add features and fix bugs since all of our infra stack is golang.
Blog posts:
Conference/Meetups talks
Skipper will update the minor version in case we have either:
go
directive in go.mod change)replace
directive in
go.mod file (requires library users to add or remove the same
directive in their go.mod file)We expect that skipper library users will use
skipper.Run(skipper.Options{})
as main interface that we do not want
to break. Besides the Kubernetes v1beta1 removal there was never a
change that removed an option. We also do not want to break generic
useful packages like net
. Sometimes we mark library functions, that
we expect to be useful as experimental, because we want to try and
learn over time if this is a good API decision or if this limits us.
This promise we hold considering the main, filter, predicate, dataclient, eskip interfaces and generic packages. For other packages, we have more weak promise with backwards compatibility as these are more internal packages. We try to omit breaking changes also in internal packages. If this would mean too much work or impossible to build new functionality as we would like, we will do a breaking change considering strictly semantic versioning rules.
Every update that changes the minor version (the m
in v0.m.p
),
should be done by +1
only. So v0.N.x
to v0.N+1.y
and you should
read v0.N+1.0
release page to see what can break and what you have
to do in order to have no issues while updating.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.