In addition to securely exposing Services publicly via the BeyondCorp access mode (read more here), Octelium also enables you to completely publicly expose HTTP-based Services (namely HTTP, GRPC and WEB Service modes) to anonymous access, eliminating access control for such Services. This allows you to effectively use Octelium as a hosting platform where you can publicly expose Services to the public internet whose upstreams might be served from anywhere (e.g anywhere behind NAT such as your laptop, private clouds, etc...), as well as a self-hosted PaaS for containerized applications that are deployed and managed by Octelium itself (read more about managed containers here).
It's extremely important to understand that enabling the anonymous public mode for a certain Service completely eliminates both authentication and authorization for that Service. This is by itself against what zero trust is all about. If you want anonymous authorization, checkout out that section here.
The Octelium Cluster currently uses the anonymous mode mainly for the AuthService which is exposed publicly to the internet to authenticate the users, both via WEB mode using OpenID Connect and SAML 2.0 identity providers (IdPs) as well as for its authentication gRPC service.
To enable the anonymous public mode, you only need to enable the isPublic and isAnonymous fields as follows:
1kind: Service2metadata:3name: svc14spec:5mode: HTTP6config:7upstream:8url: http://nginx.local9isPublic: true10isAnonymous: true
Anonymous Authorization
Starting from v0.28.0, Octelium can now provide anonymous authorization via the enableAnonymous boolean flag. This effectively enables anonymous Services to operate as web application firewalls (WAF) and control access based on the request's path, method, headers (e.g. user agent), query parameters, and body content, including serialized JSON body content. Here is an example:
1kind: Service2metadata:3name: svc14spec:5mode: HTTP6isPublic: true7isAnonymous: true8config:9upstream:10url: https://example.com11authorization:12enableAnonymous: true13inlinePolicies:14- spec:15rules:16- effect: ALLOW17condition:18all:19of:20- match: ctx.request.http.method in ["GET", "POST", "PUT", "DELETE"]21- match: ctx.request.http.path.startsWith("/apis")22- match: ctx.request.http.uri == "/apis/users?name=john"23- match: ctx.request.http.queryParams.name == "john"24- match: ctx.request.http.headers["x-custom-header"] == "this-value"25- match: ctx.request.http.scheme == "http"26- match: string(ctx.request.http.body).toLower().contains("value1")27- match: ctx.request.http.bodyMap.key1 == "value1"
As is the case with the default authenticated authorization, anonymous authorization, when enabled, denies all requests by default (i.e. a status code of 403 is returned). That means the request is denied if no rule matches.
You might also want to check out HTTP plugins to implement the same filtering functionality in the anonymous mode while being able to return custom response status codes, body content and headers.
Public DNS and TLS Certificate
Since public Services are exposed to the internet, you need to set the public DNS and TLS certificate of the Service. You can read more about managing public DNS here and TLS certificates here.