ed703ee63d
* Adding docs for setting the GONOSUMDB env var on the Athens side Ref https://github.com/gomods/athens/issues/1363 * Updating with multiple repos, and adding a note * Update docs/content/configuration/sumdb.md Co-Authored-By: Ted Wexler <ted@stuckinacan.com> * Qualifying "user" Co-authored-by: Ted Wexler <ted@stuckinacan.com>
3.1 KiB
title, description, weight
| title | description | weight |
|---|---|---|
| Proxying a checksum database API | How to configure Athens to proxy a checksum database API, and why you might want to. | 4 |
Proxying A Checksum DB
The Athens Proxy has the ability to proxy a Checksum Database as defined by this proposal by the Go team.
Athens by default will accept proxying https://sum.golang.org. However, if you'd like to override that behavior or proxy more Checksum DBs you can do so through the SumDBs config or its equivalent Environment Variable: ATHENS_SUM_DBS.
So for example, if you run the following command:
GOPROXY=<athens-url> go build
The Go command will proxy requests to sum.golang.org like this: <athens-url>/sumdb/sum.golang.org. Feel free to read the linked proposal above for the exact requests that makes Athens successfully proxy Checksum DB APIs.
Note that as of this documentation (May 2019), you need to explicitly set GOSUMDB=https://sum.golang.org, but the Go team is planning on enabling this by default.
Why Proxy a Checksum DB?
This is quite important. Say you are a company that is running an Athens instance, and you don't want the world to know about where your
repositories live. For example, say you have a private repo under github.com/mycompany/secret-repo. In order to ensure that the Go client
does not send a request to https://sum.golang.org/lookup/github.com/mycompany/secret-repo@v1.0.0 and therefore leaking your private import path to the public, you need to ensure that you tell Go to skip particular import paths by setting the GONOSUMDB environment variable:
GONOSUMDB=github.com/mycompany/* go build
This will make sure that Go does not send any requests to the Checksum DB for your private import paths. However, how can you ensure that all of your employees are building private code with the right configuration?
Athens, in this case can help ensure that all private code flowing through it is never checked against the checksum DB. That means that as long as your employees are using Athens, then they will get a helpful reminder to ensure Their GONOSUMDB is rightly configured.
Athens allows the operator running the server to specify a list of patterns to not lookup via the upstream sum provider:
NoSumPatterns = ["github.com/mycompany/*", "github.com/secret/*"]
Or you can do it with an environment variable:
$ export ATHENS_GONOSUM_PATTERNS="github.com/mycompany/*,github.com/secret/*"
In both of the above configuration examples, there are two patterns specified, and they are separated by a comma (
,) in both cases. When you are using the environment variable (export ATHENS_GONOSUM_PATTERNS), make sure you don't use brackes ([and]).
Either way, this configuration will ensure that when Go sends a request to <athens-url>/sumdb/sum.golang.org/github.com/mycompany/secret-repo@v1.0.0, Athens will return a 403 and failing the build ensuring that the client knows something is not configured correctly and also never leaking those import paths.