Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@segment/backstage-plugin-proxy-sigv4-backend
Advanced tools
Backstage backend plugin that configures endpoints for signing and proxying HTTP requests with AWS SigV4
Backend plugin that enables proxy definitions to be declared in, and read from, app-config.yaml
(just like the
built-in proxy-backend
plugin) that will be signed using the AWS Signature Version 4 (SigV4) request-signing
algorithm.
Loosely modeled after the official AWS SigV4 Proxy project (awslabs/aws-sigv4-proxy).
This plugin has already been added to the Backstage app in this repository, meaning you'll be able to try out
the plugin by firstly adding your Proxy Sigv4 Configuration to the app-config.yaml
located in
the root folder of this repository. After that, you should be able to access it by starting the app, and then navigating
to /api/proxy-sigv4/*.
This backend plugin can also be started in a standalone mode via yarn start
from within this package; however, it will
have limited functionality and this process is most convenient when developing the plugin itself. If you develop using
the standalone server, note that the plugin is mounted at the backend root and not under /api/
:
/proxy-sigv4/*.
packages/backend
yarn add --cwd packages/backend '@segment/backstage-plugin-proxy-sigv4-backend'
The AWS SigV4 Proxy backend plugin has support for the new backend system. In your packages/backend/src/index.ts
file, make the following changes:
import { createBackend } from '@backstage/backend-defaults';
const backend = createBackend();
// ... other feature additions
+ // proxy-sigv4 plugin installation
+ backend.add(import('@segment/backstage-plugin-proxy-sigv4-backend'));
backend.start();
If you are still using the legacy backend system, you'll need to add the plugin to the router in your backend
package.
You can do this by creating a file called packages/backend/src/plugins/proxy-sigv4.ts
. Example content for
proxy-sigv4.ts
could be something like this.
// packages/backend/src/plugins/proxy-sigv4.ts
import { createRouter } from '@segment/backstage-plugin-proxy-sigv4-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';
export default async function createPlugin({
logger,
config,
}: PluginEnvironment): Promise<Router> {
return await createRouter({ logger, config });
}
packages/backend
With the proxy-sigv4.ts
router setup in place, add the router to packages/backend/src/index.ts
:
// packages/backend/src/index.ts
+import proxySigV4 from './plugins/proxy-sigv4';
async function main() {
...
const createEnv = makeCreateEnv(config);
...
const proxyEnv = useHotMemoize(module, () => createEnv('proxy'));
+ const proxySigV4Env = useHotMemoize(module, () => createEnv('proxy-sigv4'));
const apiRouter = Router();
apiRouter.use('/proxy', await proxy(proxyEnv));
+ apiRouter.use('/proxy-sigv4', await proxySigV4(proxySignV4Env));
...
}
Proxy routes can be configured using either a short or expanded form.
The short form is useful when the default AWS.CredentialProviderChain
resolves to a set of AWS credentials that
have the permissions necessary to invoke the target API directly.
This is commonplace when the IAM instance profile has been configured with a role that has been granted access on
the target API and no additional AssumeRole
call is required.
This is also useful during local development when the shell environment used to start the application already has AWS credentials exported into the shell's environment variables.
proxysigv4:
'/some-local-path': https://<API ID>.execute-api.<region>.amazonaws.com
The expanded form is necessary when an AssumeRole
call is required, or if the target API service and region cannot
be automatically derived from the URL (commonplace when a custom domain name has been configured for an API Gateway
endpoint).
proxysigv4:
'/some-local-path':
target: 'https://<API ID>.execute-api.<region>.amazonaws.com'
roleArn: 'arn:aws:iam::<account>:role/<name>'
roleSessionName: tempAssumeRoleSession ## optional
When using the new backend system with the new auth services, the proxy-sigv4
backend plugin will by default allow unauthenticated requests.
To prevent this behavior, provide the following configuration:
proxysigv4:
allowUnauthenticatedRequests: false
Doing so will not add the auth policty that allows unauthenticated requests.
Refer to config.d.ts
for the full plugin type definition.
service
and region
properties
/
) will always have one implicitly applied.
https://example.com/foo
will be treated as https://example.com/foo/
FAQs
Backstage backend plugin that configures endpoints for signing and proxying HTTP requests with AWS SigV4
The npm package @segment/backstage-plugin-proxy-sigv4-backend receives a total of 301 weekly downloads. As such, @segment/backstage-plugin-proxy-sigv4-backend popularity was classified as not popular.
We found that @segment/backstage-plugin-proxy-sigv4-backend demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.