Albedo is a simple HTTP server used as a reverse-proxy backend in testing web application firewalls (WAFs). go-ftw relies on Albedo to test WAF rules of responses.
$ albedo -h
HTTP reflector and black hole
Usage:
albedo [flags]
Flags:
-b, --bind string address to bind to (default "0.0.0.0")
-h, --help help for albedo
-p, --port int port to listen on (default 8080)
--debug log debug information
--json format logs as JSONgithub.com/coreruleset/albedo/server package provides a handler that can be used for testing purposes.
Usage example:
package albedo_test
import (
"net/http"
"net/http/httptest"
"testing"
"time"
"github.com/coreruleset/albedo/server"
"github.com/stretchr/testify/require"
)
func TestAlbedo(t *testing.T) {
testServer := httptest.NewServer(server.Handler())
defer testServer.Close()
client := http.Client{
Timeout: time.Duration(1 * time.Second),
}
_, err := client.Get(testServer.URL)
require.NoError(t, err)
require.Equal(t, http.StatusOK, resp.StatusCode)
}endpoints:
- path: "/*"
methods: [any]
contentType: any
description: |
Requests to any URL that is not defined as an endpoint are accepted if they are valid.
The response to any such request will be a status 200 without a body.
- path: /capabilities
methods: [GET]
contentType: "-"
description: |
Returns a JSON document describing the capabilities of albedo, i.e., available endpoints and their functions.
If the query parameter 'quiet' is set to 'true', the response will only contain the path property for each
endpoint.
- path: /reflect
methods: [POST]
contentType: application/json
description: |
This endpoint responds according to the received specification.
The specification is a JSON document with the following fields:
status [integer]: the status code to respond with
headers [map of header definitions]: the headers to respond with
body [string]: body of the response
encodedBody [base64-encoded string]: body of the response, base64-encoded; useful for complex payloads where escaping is difficult
logMessage [string]: message to log for the request; useful for matching requests to tests
While this endpoint essentially allows for freeform responses, some restrictions apply:
- responses with status code 1xx don't have a body; if you specify a body together with a 1xx
status code, the behavior is undefined
- response status codes must lie in the range of [100,599]
- the names and values of headers must be valid according to the HTTP specification;
invalid headers will be dropped
- path: /configure_reflection
methods: [POST]
contentType: application/json
description: |
This endpoint configures other endpoints to respond as described by the received specification.
Any configured endpoint will behave as if it were the "/reflect" endpoint and will retain its configuration.
Endpoints can be overridden with new configurations.
The specification is a JSON document with the same fields as in the specification for "/reflect", with the following additions:
endpoints [list of endpoints]: endpoints to configure; an endpoint has the following fields:
method [string]: HTTP method to match
url [string]: URL of the endpoint, including query and fragment
- path: /reset
methods: [PUT]
contentType: any
description: |
Discards endpoint configurations previously created via "/configure_reflection"
- path: /inspect
methods: [any]
contentType: any
description: |
Logs debug information about the received request, such as headers and body size.