HTTP Middleware Overview
Add logs, recovery, rate limits, authentication, security headers, and other cross-cutting HTTP behavior
Middleware is where you put cross-cutting HTTP behavior: panic recovery, request IDs, real IP parsing, access logs, CORS, CSRF, body size limits, timeouts, static files, sessions, auth, rate limits, and audit records
Runa middleware is route.Middleware, which is func(route.Handler) route.Handler. It belongs to the HTTP route transport. It is not part of the micro-kernel and it is not a Provider. As an application developer, focus on three things: install the package you need, mount it at the right level, and install any required capability Provider first
Install
Install route when you only need the middleware mechanism:
go get github.com/duxweb/runa/route
Install official built-in middleware when needed:
go get github.com/duxweb/runa/middleware
Language negotiation middleware is a separate module:
go get github.com/duxweb/runa/middleware/lang
Install the production preset when you want the standard security chain:
go get github.com/duxweb/runa/security
Business middleware is installed per capability:
go get github.com/duxweb/runa/session github.com/duxweb/runa/auth github.com/duxweb/runa/rate github.com/duxweb/runa/audit
Minimal example
package main
import (
"context"
"github.com/duxweb/runa"
"github.com/duxweb/runa/route"
"github.com/duxweb/runa/security"
)
func main() {
app := runa.New()
app.Install(route.Provider(route.Addr(":8080")))
route.Default().Use(security.New(security.Production()))
route.Default().Get("/", func(ctx *route.Context) error {
return ctx.Text("ok")
})
if err := app.Run(context.Background()); err != nil {
panic(err)
}
}
Where to mount middleware
Global middleware:
route.Default().Use(mw)
Group middleware:
api := route.Default().Group("/api")
api.Use(mw)
Single-route middleware:
route.Default().Get("/profile", profile).Use(mw)
Execution order
Middleware enters in registration order and exits in reverse order:
route.Default().Use(A(), B(), C())
A before -> B before -> C before -> handler -> C after -> B after -> A after
A practical order is recover, request id, real ip, logger, body limit, timeout, helmet or CORS, then business middleware such as session, auth, rate, and audit
Page index
| Page | What it solves |
|---|---|
| Recover | Convert panic to route errors |
| Request ID | Attach a traceable request ID |
| Real IP | Read client IP from trusted proxies |
| Logger | Write HTTP access logs |
| CORS | Handle browser cross-origin requests |
| CSRF | Protect browser forms and cookie-authenticated endpoints |
| Body Limit | Limit request body size |
| Timeout | Bound normal HTTP request duration |
| Helmet | Write common security headers |
| Healthcheck | Return a simple health response |
| Static | Serve static files |
| Security | Use the production middleware preset |
| Session | Load and save sessions |
| Auth | Enforce authentication and permissions |
| Rate Limit | Protect routes with named limiters |
| Audit | Record business operation audits |
| Lang | Negotiate request language from query, cookie, and Accept-Language |