2019-01-15 09:44:03 +01:00
|
|
|
package forwardedheaders
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
|
2019-03-15 09:42:03 +01:00
|
|
|
"github.com/containous/traefik/pkg/ip"
|
2019-01-15 09:44:03 +01:00
|
|
|
"github.com/vulcand/oxy/forward"
|
|
|
|
"github.com/vulcand/oxy/utils"
|
|
|
|
)
|
|
|
|
|
|
|
|
// XForwarded filter for XForwarded headers.
|
|
|
|
type XForwarded struct {
|
|
|
|
insecure bool
|
|
|
|
trustedIps []string
|
|
|
|
ipChecker *ip.Checker
|
|
|
|
next http.Handler
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewXForwarded creates a new XForwarded.
|
|
|
|
func NewXForwarded(insecure bool, trustedIps []string, next http.Handler) (*XForwarded, error) {
|
|
|
|
var ipChecker *ip.Checker
|
|
|
|
if len(trustedIps) > 0 {
|
|
|
|
var err error
|
|
|
|
ipChecker, err = ip.NewChecker(trustedIps)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return &XForwarded{
|
|
|
|
insecure: insecure,
|
|
|
|
trustedIps: trustedIps,
|
|
|
|
ipChecker: ipChecker,
|
|
|
|
next: next,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (x *XForwarded) isTrustedIP(ip string) bool {
|
|
|
|
if x.ipChecker == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return x.ipChecker.IsAuthorized(ip) == nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if !x.insecure && !x.isTrustedIP(r.RemoteAddr) {
|
|
|
|
utils.RemoveHeaders(r.Header, forward.XHeaders...)
|
|
|
|
}
|
|
|
|
|
|
|
|
x.next.ServeHTTP(w, r)
|
|
|
|
}
|