2019-01-15 08:44:03 +00:00
|
|
|
package forwardedheaders
|
|
|
|
|
|
|
|
import (
|
2019-04-02 14:56:05 +00:00
|
|
|
"net"
|
2019-01-15 08:44:03 +00:00
|
|
|
"net/http"
|
2019-04-02 14:56:05 +00:00
|
|
|
"os"
|
|
|
|
"strings"
|
2019-01-15 08:44:03 +00:00
|
|
|
|
2020-09-16 13:46:04 +00:00
|
|
|
"github.com/traefik/traefik/v2/pkg/ip"
|
2019-01-15 08:44:03 +00:00
|
|
|
)
|
|
|
|
|
2019-04-02 14:56:05 +00:00
|
|
|
const (
|
2019-07-08 15:56:04 +00:00
|
|
|
xForwardedProto = "X-Forwarded-Proto"
|
|
|
|
xForwardedFor = "X-Forwarded-For"
|
|
|
|
xForwardedHost = "X-Forwarded-Host"
|
|
|
|
xForwardedPort = "X-Forwarded-Port"
|
|
|
|
xForwardedServer = "X-Forwarded-Server"
|
|
|
|
xForwardedURI = "X-Forwarded-Uri"
|
|
|
|
xForwardedMethod = "X-Forwarded-Method"
|
|
|
|
xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert"
|
|
|
|
xForwardedTLSClientCertInfo = "X-Forwarded-Tls-Client-Cert-Info"
|
|
|
|
xRealIP = "X-Real-Ip"
|
|
|
|
connection = "Connection"
|
|
|
|
upgrade = "Upgrade"
|
2019-04-02 14:56:05 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var xHeaders = []string{
|
|
|
|
xForwardedProto,
|
|
|
|
xForwardedFor,
|
|
|
|
xForwardedHost,
|
|
|
|
xForwardedPort,
|
|
|
|
xForwardedServer,
|
2019-07-08 15:56:04 +00:00
|
|
|
xForwardedURI,
|
|
|
|
xForwardedMethod,
|
|
|
|
xForwardedTLSClientCert,
|
|
|
|
xForwardedTLSClientCertInfo,
|
2019-04-02 14:56:05 +00:00
|
|
|
xRealIP,
|
|
|
|
}
|
|
|
|
|
2020-05-11 10:06:07 +00:00
|
|
|
// XForwarded is an HTTP handler wrapper that sets the X-Forwarded headers,
|
|
|
|
// and other relevant headers for a reverse-proxy.
|
|
|
|
// Unless insecure is set,
|
|
|
|
// it first removes all the existing values for those headers if the remote address is not one of the trusted ones.
|
2019-01-15 08:44:03 +00:00
|
|
|
type XForwarded struct {
|
|
|
|
insecure bool
|
|
|
|
trustedIps []string
|
|
|
|
ipChecker *ip.Checker
|
|
|
|
next http.Handler
|
2019-04-02 14:56:05 +00:00
|
|
|
hostname string
|
2019-01-15 08:44:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewXForwarded creates a new XForwarded.
|
|
|
|
func NewXForwarded(insecure bool, trustedIps []string, next http.Handler) (*XForwarded, error) {
|
|
|
|
var ipChecker *ip.Checker
|
|
|
|
if len(trustedIps) > 0 {
|
|
|
|
var err error
|
|
|
|
ipChecker, err = ip.NewChecker(trustedIps)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-04-02 14:56:05 +00:00
|
|
|
hostname, err := os.Hostname()
|
|
|
|
if err != nil {
|
|
|
|
hostname = "localhost"
|
|
|
|
}
|
|
|
|
|
2019-01-15 08:44:03 +00:00
|
|
|
return &XForwarded{
|
|
|
|
insecure: insecure,
|
|
|
|
trustedIps: trustedIps,
|
|
|
|
ipChecker: ipChecker,
|
|
|
|
next: next,
|
2019-04-02 14:56:05 +00:00
|
|
|
hostname: hostname,
|
2019-01-15 08:44:03 +00:00
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (x *XForwarded) isTrustedIP(ip string) bool {
|
|
|
|
if x.ipChecker == nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return x.ipChecker.IsAuthorized(ip) == nil
|
|
|
|
}
|
|
|
|
|
2020-05-11 10:06:07 +00:00
|
|
|
// removeIPv6Zone removes the zone if the given IP is an ipv6 address and it has {zone} information in it,
|
|
|
|
// like "[fe80::d806:a55d:eb1b:49cc%vEthernet (vmxnet3 Ethernet Adapter - Virtual Switch)]:64692".
|
2019-04-02 14:56:05 +00:00
|
|
|
func removeIPv6Zone(clientIP string) string {
|
2021-01-21 09:04:04 +00:00
|
|
|
if idx := strings.Index(clientIP, "%"); idx != -1 {
|
|
|
|
return clientIP[:idx]
|
|
|
|
}
|
|
|
|
return clientIP
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
|
|
|
|
2020-05-11 10:06:07 +00:00
|
|
|
// isWebsocketRequest returns whether the specified HTTP request is a websocket handshake request.
|
2019-04-02 14:56:05 +00:00
|
|
|
func isWebsocketRequest(req *http.Request) bool {
|
|
|
|
containsHeader := func(name, value string) bool {
|
2021-01-21 09:04:04 +00:00
|
|
|
h := unsafeHeader(req.Header).Get(name)
|
|
|
|
for {
|
|
|
|
pos := strings.Index(h, ",")
|
|
|
|
if pos == -1 {
|
|
|
|
return strings.EqualFold(value, strings.TrimSpace(h))
|
|
|
|
}
|
|
|
|
|
|
|
|
if strings.EqualFold(value, strings.TrimSpace(h[:pos])) {
|
2019-04-02 14:56:05 +00:00
|
|
|
return true
|
|
|
|
}
|
2021-01-21 09:04:04 +00:00
|
|
|
|
2021-02-02 10:40:04 +00:00
|
|
|
h = h[pos+1:]
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
|
|
|
}
|
2021-02-02 10:40:04 +00:00
|
|
|
|
2019-04-02 14:56:05 +00:00
|
|
|
return containsHeader(connection, "upgrade") && containsHeader(upgrade, "websocket")
|
|
|
|
}
|
|
|
|
|
|
|
|
func forwardedPort(req *http.Request) string {
|
|
|
|
if req == nil {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, port, err := net.SplitHostPort(req.Host); err == nil && port != "" {
|
|
|
|
return port
|
|
|
|
}
|
|
|
|
|
2021-01-21 09:04:04 +00:00
|
|
|
if unsafeHeader(req.Header).Get(xForwardedProto) == "https" || unsafeHeader(req.Header).Get(xForwardedProto) == "wss" {
|
2019-04-02 14:56:05 +00:00
|
|
|
return "443"
|
|
|
|
}
|
|
|
|
|
|
|
|
if req.TLS != nil {
|
|
|
|
return "443"
|
|
|
|
}
|
|
|
|
|
|
|
|
return "80"
|
|
|
|
}
|
|
|
|
|
|
|
|
func (x *XForwarded) rewrite(outreq *http.Request) {
|
|
|
|
if clientIP, _, err := net.SplitHostPort(outreq.RemoteAddr); err == nil {
|
|
|
|
clientIP = removeIPv6Zone(clientIP)
|
|
|
|
|
2021-01-21 09:04:04 +00:00
|
|
|
if unsafeHeader(outreq.Header).Get(xRealIP) == "" {
|
|
|
|
unsafeHeader(outreq.Header).Set(xRealIP, clientIP)
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-21 09:04:04 +00:00
|
|
|
xfProto := unsafeHeader(outreq.Header).Get(xForwardedProto)
|
2019-04-02 14:56:05 +00:00
|
|
|
if xfProto == "" {
|
2020-06-10 12:32:03 +00:00
|
|
|
if isWebsocketRequest(outreq) {
|
|
|
|
if outreq.TLS != nil {
|
2021-01-21 09:04:04 +00:00
|
|
|
unsafeHeader(outreq.Header).Set(xForwardedProto, "wss")
|
2020-06-10 12:32:03 +00:00
|
|
|
} else {
|
2021-01-21 09:04:04 +00:00
|
|
|
unsafeHeader(outreq.Header).Set(xForwardedProto, "ws")
|
2020-06-10 12:32:03 +00:00
|
|
|
}
|
2019-04-02 14:56:05 +00:00
|
|
|
} else {
|
2020-06-10 12:32:03 +00:00
|
|
|
if outreq.TLS != nil {
|
2021-01-21 09:04:04 +00:00
|
|
|
unsafeHeader(outreq.Header).Set(xForwardedProto, "https")
|
2020-06-10 12:32:03 +00:00
|
|
|
} else {
|
2021-01-21 09:04:04 +00:00
|
|
|
unsafeHeader(outreq.Header).Set(xForwardedProto, "http")
|
2020-06-10 12:32:03 +00:00
|
|
|
}
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-01-21 09:04:04 +00:00
|
|
|
if xfPort := unsafeHeader(outreq.Header).Get(xForwardedPort); xfPort == "" {
|
|
|
|
unsafeHeader(outreq.Header).Set(xForwardedPort, forwardedPort(outreq))
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
|
|
|
|
2021-01-21 09:04:04 +00:00
|
|
|
if xfHost := unsafeHeader(outreq.Header).Get(xForwardedHost); xfHost == "" && outreq.Host != "" {
|
|
|
|
unsafeHeader(outreq.Header).Set(xForwardedHost, outreq.Host)
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if x.hostname != "" {
|
2021-01-21 09:04:04 +00:00
|
|
|
unsafeHeader(outreq.Header).Set(xForwardedServer, x.hostname)
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-05-11 10:06:07 +00:00
|
|
|
// ServeHTTP implements http.Handler.
|
2019-01-15 08:44:03 +00:00
|
|
|
func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if !x.insecure && !x.isTrustedIP(r.RemoteAddr) {
|
2019-04-02 14:56:05 +00:00
|
|
|
for _, h := range xHeaders {
|
2021-01-21 09:04:04 +00:00
|
|
|
unsafeHeader(r.Header).Del(h)
|
2019-04-02 14:56:05 +00:00
|
|
|
}
|
2019-01-15 08:44:03 +00:00
|
|
|
}
|
|
|
|
|
2019-04-02 14:56:05 +00:00
|
|
|
x.rewrite(r)
|
|
|
|
|
2019-01-15 08:44:03 +00:00
|
|
|
x.next.ServeHTTP(w, r)
|
|
|
|
}
|
2021-01-21 09:04:04 +00:00
|
|
|
|
|
|
|
// unsafeHeader allows to manage Header values.
|
|
|
|
// Must be used only when the header name is already a canonical key.
|
|
|
|
type unsafeHeader map[string][]string
|
|
|
|
|
|
|
|
func (h unsafeHeader) Set(key, value string) {
|
|
|
|
h[key] = []string{value}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h unsafeHeader) Get(key string) string {
|
|
|
|
if len(h[key]) == 0 {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
return h[key][0]
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h unsafeHeader) Del(key string) {
|
|
|
|
delete(h, key)
|
|
|
|
}
|