Enterprise-grade security gateway for the Go Coffee microservices platform, providing comprehensive protection against modern threats while maintaining high performance.
- Web Application Firewall (WAF) - Protection against OWASP Top 10
- Rate Limiting - Distributed rate limiting with Redis backend
- Input Validation - Comprehensive request sanitization
- Threat Detection - Real-time ML-powered threat analysis
- API Gateway - Secure request routing and load balancing
- Security Headers - HSTS, CSP, X-Frame-Options enforcement
- Geo-blocking - Country-based access control
- Bot Detection - Automated bot identification and blocking
- Device Fingerprinting - Track and analyze client devices
- Behavioral Analysis - Detect unusual usage patterns
- DDoS Protection - Distributed denial of service mitigation
- SSL/TLS Termination - Secure communication handling
- Real-time Metrics - Prometheus-compatible metrics
- Security Events - Comprehensive event logging
- Threat Intelligence - External threat feed integration
- Alerting - Automated incident notifications
- Dashboards - Grafana-based visualization
- Go 1.21+
- Redis 7.0+
- Docker & Docker Compose (optional)
- Clone and setup:
git clone https://github.com/DimaJoyti/go-coffee.git
cd go-coffee- Install dependencies:
make -f Makefile.security-gateway deps- Start Redis:
make -f Makefile.security-gateway redis-start- Run the service:
make -f Makefile.security-gateway run-dev- Start all services:
docker-compose -f docker-compose.security-gateway.yml up -d- Check health:
curl http://localhost:8080/health# Server Configuration
SERVER_PORT=8080
SERVER_HOST=0.0.0.0
# Redis Configuration
REDIS_URL=redis://localhost:6379
REDIS_DB=0
REDIS_PASSWORD=
# Security Configuration
AES_KEY=your-aes-key-base64
RSA_KEY=your-rsa-private-key-pem
JWT_SECRET=your-jwt-secret
# Service URLs
AUTH_SERVICE_URL=http://localhost:8081
ORDER_SERVICE_URL=http://localhost:8082
PAYMENT_SERVICE_URL=http://localhost:8083
USER_SERVICE_URL=http://localhost:8084
# Logging
LOG_LEVEL=info
ENVIRONMENT=developmentThe service uses config/config.yaml for detailed configuration:
# Security Gateway Configuration
security:
# Rate Limiting
rate_limit:
enabled: true
requests_per_minute: 100
burst_size: 20
cleanup_interval: "1m"
# Web Application Firewall
waf:
enabled: true
block_suspicious_ip: true
allowed_countries: ["US", "CA", "GB", "DE", "FR", "UA"]
blocked_countries: ["CN", "RU", "KP"]
max_request_size: 10485760 # 10MB
# Input Validation
validation:
max_input_length: 10000
strict_mode: true
enable_sanitization: true
# Monitoring
monitoring:
enable_real_time_monitoring: true
retention_period: "720h" # 30 days
enable_threat_intelligence: true# Health check
GET /health
# Metrics (Prometheus format)
GET /metrics
# Security metrics
GET /api/v1/security/metrics
# Security alerts
GET /api/v1/security/alerts# Validate input
POST /api/v1/security/validate
{
"type": "email|password|url|ip|input",
"value": "input-to-validate"
}
# Get security metrics
GET /api/v1/security/metrics
# Get security alerts
GET /api/v1/security/alerts?limit=50&status=open&severity=high# Proxy to auth service
ANY /api/v1/gateway/auth/*
# Proxy to order service
ANY /api/v1/gateway/order/*
# Proxy to payment service
ANY /api/v1/gateway/payment/*
# Proxy to user service
ANY /api/v1/gateway/user/*# Build binary
make -f Makefile.security-gateway build
# Build for multiple platforms
make -f Makefile.security-gateway build-all
# Build Docker image
make -f Makefile.security-gateway docker-build# Run tests
make -f Makefile.security-gateway test
# Run tests with coverage
make -f Makefile.security-gateway test-coverage
# Run integration tests
make -f Makefile.security-gateway test-integration
# Run benchmarks
make -f Makefile.security-gateway benchmark# Format code
make -f Makefile.security-gateway fmt
# Run linter
make -f Makefile.security-gateway lint
# Security scan
make -f Makefile.security-gateway security-scan
# Vulnerability check
make -f Makefile.security-gateway vulnerability-checkThe service exposes Prometheus metrics at /metrics:
# Request metrics
security_gateway_total_requests
security_gateway_blocked_requests
security_gateway_allowed_requests
# Security metrics
security_gateway_threat_detections
security_gateway_waf_blocks
security_gateway_rate_limit_violations
# Performance metrics
security_gateway_request_duration_seconds
security_gateway_response_size_bytes
Access monitoring dashboards:
- Grafana: http://localhost:3000 (admin/admin)
- Prometheus: http://localhost:9090
- Jaeger: http://localhost:16686
Configure alerts in monitoring/alertmanager/alertmanager.yml:
route:
group_by: ['alertname']
group_wait: 10s
group_interval: 10s
repeat_interval: 1h
receiver: 'web.hook'
receivers:
- name: 'web.hook'
webhook_configs:
- url: 'http://localhost:5001/'The WAF includes protection against:
- SQL Injection - Database manipulation attempts
- Cross-Site Scripting (XSS) - Client-side code injection
- Path Traversal - File system access attempts
- Command Injection - System command execution
- Malicious User Agents - Known attack tools
Multiple rate limiting strategies:
- IP-based - Per IP address limits
- User-based - Per authenticated user limits
- Endpoint-based - Per API endpoint limits
- Global - Overall system limits
Real-time threat detection includes:
- Velocity Analysis - Rapid request detection
- Pattern Recognition - Attack pattern identification
- Anomaly Detection - Unusual behavior detection
- Reputation Checking - IP/domain reputation validation
The gateway can automatically:
- Block malicious IPs - Temporary or permanent blocking
- Rate limit abusers - Dynamic rate limit adjustment
- Alert security team - Real-time notifications
- Log security events - Comprehensive audit trail
Security team can:
- Review alerts - Investigate security incidents
- Adjust rules - Modify WAF and rate limit rules
- Block/unblock IPs - Manual IP management
- Generate reports - Security analysis reports
Typical performance metrics:
- Latency: < 5ms additional latency
- Throughput: 10,000+ requests/second
- Memory: < 100MB base memory usage
- CPU: < 5% additional CPU overhead
Performance optimization features:
- Connection pooling - Efficient backend connections
- Request caching - Cache validation results
- Async processing - Non-blocking security checks
- Load balancing - Distribute traffic efficiently
-
High latency:
- Check Redis connectivity
- Review WAF rule complexity
- Monitor resource usage
-
False positives:
- Review WAF rules
- Adjust sensitivity settings
- Whitelist legitimate traffic
-
Rate limit issues:
- Check rate limit configuration
- Review Redis performance
- Monitor request patterns
Enable debug logging:
LOG_LEVEL=debug ./security-gatewayMonitor service health:
# Basic health
curl http://localhost:8080/health
# Detailed metrics
curl http://localhost:8080/metrics
# Security status
curl http://localhost:8080/api/v1/security/metrics- Fork the repository
- Create a feature branch
- Make your changes
- Add tests
- Run security scans
- Submit a pull request
- Follow Go best practices
- Write comprehensive tests
- Document security implications
- Update configuration examples
- Maintain backward compatibility
This project is licensed under the MIT License - see the LICENSE file for details.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Security: security@go-coffee.com
- Documentation: Wiki
Security Gateway Service - Protecting your microservices with enterprise-grade security π‘οΈ