2018-11-14 09:18:03 +00:00
|
|
|
// Package headers Middleware based on https://github.com/unrolled/secure.
|
|
|
|
package headers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
|
|
|
"net/http"
|
|
|
|
|
2019-03-15 08:42:03 +00:00
|
|
|
"github.com/containous/traefik/pkg/config"
|
|
|
|
"github.com/containous/traefik/pkg/middlewares"
|
|
|
|
"github.com/containous/traefik/pkg/tracing"
|
2018-11-14 09:18:03 +00:00
|
|
|
"github.com/opentracing/opentracing-go/ext"
|
|
|
|
"github.com/unrolled/secure"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
typeName = "Headers"
|
|
|
|
)
|
|
|
|
|
|
|
|
type headers struct {
|
|
|
|
name string
|
|
|
|
handler http.Handler
|
|
|
|
}
|
|
|
|
|
|
|
|
// New creates a Headers middleware.
|
|
|
|
func New(ctx context.Context, next http.Handler, config config.Headers, name string) (http.Handler, error) {
|
|
|
|
// HeaderMiddleware -> SecureMiddleWare -> next
|
|
|
|
logger := middlewares.GetLogger(ctx, name, typeName)
|
|
|
|
logger.Debug("Creating middleware")
|
|
|
|
|
|
|
|
if !config.HasSecureHeadersDefined() && !config.HasCustomHeadersDefined() {
|
|
|
|
return nil, errors.New("headers configuration not valid")
|
|
|
|
}
|
|
|
|
|
|
|
|
var handler http.Handler
|
|
|
|
nextHandler := next
|
|
|
|
|
|
|
|
if config.HasSecureHeadersDefined() {
|
|
|
|
logger.Debug("Setting up secureHeaders from %v", config)
|
|
|
|
handler = newSecure(next, config)
|
|
|
|
nextHandler = handler
|
|
|
|
}
|
|
|
|
|
|
|
|
if config.HasCustomHeadersDefined() {
|
|
|
|
logger.Debug("Setting up customHeaders from %v", config)
|
|
|
|
handler = newHeader(nextHandler, config)
|
|
|
|
}
|
|
|
|
|
|
|
|
return &headers{
|
|
|
|
handler: handler,
|
|
|
|
name: name,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *headers) GetTracingInformation() (string, ext.SpanKindEnum) {
|
|
|
|
return h.name, tracing.SpanKindNoneEnum
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *headers) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
|
|
|
h.handler.ServeHTTP(rw, req)
|
|
|
|
}
|
|
|
|
|
|
|
|
type secureHeader struct {
|
|
|
|
next http.Handler
|
|
|
|
secure *secure.Secure
|
|
|
|
}
|
|
|
|
|
|
|
|
// newSecure constructs a new secure instance with supplied options.
|
|
|
|
func newSecure(next http.Handler, headers config.Headers) *secureHeader {
|
|
|
|
opt := secure.Options{
|
|
|
|
BrowserXssFilter: headers.BrowserXSSFilter,
|
|
|
|
ContentTypeNosniff: headers.ContentTypeNosniff,
|
|
|
|
ForceSTSHeader: headers.ForceSTSHeader,
|
|
|
|
FrameDeny: headers.FrameDeny,
|
|
|
|
IsDevelopment: headers.IsDevelopment,
|
|
|
|
SSLRedirect: headers.SSLRedirect,
|
|
|
|
SSLForceHost: headers.SSLForceHost,
|
|
|
|
SSLTemporaryRedirect: headers.SSLTemporaryRedirect,
|
|
|
|
STSIncludeSubdomains: headers.STSIncludeSubdomains,
|
|
|
|
STSPreload: headers.STSPreload,
|
|
|
|
ContentSecurityPolicy: headers.ContentSecurityPolicy,
|
|
|
|
CustomBrowserXssValue: headers.CustomBrowserXSSValue,
|
|
|
|
CustomFrameOptionsValue: headers.CustomFrameOptionsValue,
|
|
|
|
PublicKey: headers.PublicKey,
|
|
|
|
ReferrerPolicy: headers.ReferrerPolicy,
|
|
|
|
SSLHost: headers.SSLHost,
|
|
|
|
AllowedHosts: headers.AllowedHosts,
|
|
|
|
HostsProxyHeaders: headers.HostsProxyHeaders,
|
|
|
|
SSLProxyHeaders: headers.SSLProxyHeaders,
|
|
|
|
STSSeconds: headers.STSSeconds,
|
|
|
|
}
|
|
|
|
|
|
|
|
return &secureHeader{
|
|
|
|
next: next,
|
|
|
|
secure: secure.New(opt),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s secureHeader) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
|
|
|
s.secure.HandlerFuncWithNextForRequestOnly(rw, req, s.next.ServeHTTP)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Header is a middleware that helps setup a few basic security features. A single headerOptions struct can be
|
|
|
|
// provided to configure which features should be enabled, and the ability to override a few of the default values.
|
|
|
|
type header struct {
|
|
|
|
next http.Handler
|
|
|
|
// If Custom request headers are set, these will be added to the request
|
|
|
|
customRequestHeaders map[string]string
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewHeader constructs a new header instance from supplied frontend header struct.
|
|
|
|
func newHeader(next http.Handler, headers config.Headers) *header {
|
|
|
|
return &header{
|
|
|
|
next: next,
|
|
|
|
customRequestHeaders: headers.CustomRequestHeaders,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *header) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
|
|
|
s.modifyRequestHeaders(req)
|
|
|
|
s.next.ServeHTTP(rw, req)
|
|
|
|
}
|
|
|
|
|
|
|
|
// modifyRequestHeaders set or delete request headers.
|
|
|
|
func (s *header) modifyRequestHeaders(req *http.Request) {
|
|
|
|
// Loop through Custom request headers
|
|
|
|
for header, value := range s.customRequestHeaders {
|
|
|
|
if value == "" {
|
|
|
|
req.Header.Del(header)
|
|
|
|
} else {
|
|
|
|
req.Header.Set(header, value)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|