Enhance Trust Forwarded Headers
This commit is contained in:
parent
de821fc305
commit
35ca40c3de
4 changed files with 52 additions and 20 deletions
6
glide.lock
generated
6
glide.lock
generated
|
@ -1,5 +1,5 @@
|
||||||
hash: ed8bed99f9096c408e34756a9c8eafd366d66f624a3e75a3fe7f84a2c5c98fa1
|
hash: 45cf1c60c4c2c584ee9514e24dee16debb8e88e59517a4b82ec91600b8904dfe
|
||||||
updated: 2017-09-30T18:32:16.848940186+02:00
|
updated: 2017-10-23T15:19:16.848940186+02:00
|
||||||
imports:
|
imports:
|
||||||
- name: cloud.google.com/go
|
- name: cloud.google.com/go
|
||||||
version: 2e6a95edb1071d750f6d7db777bf66cd2997af6c
|
version: 2e6a95edb1071d750f6d7db777bf66cd2997af6c
|
||||||
|
@ -481,7 +481,7 @@ imports:
|
||||||
- name: github.com/urfave/negroni
|
- name: github.com/urfave/negroni
|
||||||
version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9
|
version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9
|
||||||
- name: github.com/vulcand/oxy
|
- name: github.com/vulcand/oxy
|
||||||
version: 4b280f86f847bcdfd921dd1ffa9ae7949dc855ee
|
version: c66eb2065193ca9264781f951e92c245b2ec81c2
|
||||||
repo: https://github.com/containous/oxy.git
|
repo: https://github.com/containous/oxy.git
|
||||||
vcs: git
|
vcs: git
|
||||||
subpackages:
|
subpackages:
|
||||||
|
|
|
@ -12,7 +12,7 @@ import:
|
||||||
- package: github.com/cenk/backoff
|
- package: github.com/cenk/backoff
|
||||||
- package: github.com/containous/flaeg
|
- package: github.com/containous/flaeg
|
||||||
- package: github.com/vulcand/oxy
|
- package: github.com/vulcand/oxy
|
||||||
version: 4b280f86f847bcdfd921dd1ffa9ae7949dc855ee
|
version: c66eb2065193ca9264781f951e92c245b2ec81c2
|
||||||
repo: https://github.com/containous/oxy.git
|
repo: https://github.com/containous/oxy.git
|
||||||
vcs: git
|
vcs: git
|
||||||
subpackages:
|
subpackages:
|
||||||
|
|
10
vendor/github.com/vulcand/oxy/forward/headers.go
generated
vendored
10
vendor/github.com/vulcand/oxy/forward/headers.go
generated
vendored
|
@ -6,6 +6,7 @@ const (
|
||||||
XForwardedHost = "X-Forwarded-Host"
|
XForwardedHost = "X-Forwarded-Host"
|
||||||
XForwardedPort = "X-Forwarded-Port"
|
XForwardedPort = "X-Forwarded-Port"
|
||||||
XForwardedServer = "X-Forwarded-Server"
|
XForwardedServer = "X-Forwarded-Server"
|
||||||
|
XRealIp = "X-Real-Ip"
|
||||||
Connection = "Connection"
|
Connection = "Connection"
|
||||||
KeepAlive = "Keep-Alive"
|
KeepAlive = "Keep-Alive"
|
||||||
ProxyAuthenticate = "Proxy-Authenticate"
|
ProxyAuthenticate = "Proxy-Authenticate"
|
||||||
|
@ -50,3 +51,12 @@ var WebsocketUpgradeHeaders = []string{
|
||||||
Connection,
|
Connection,
|
||||||
SecWebsocketAccept,
|
SecWebsocketAccept,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var XHeaders = []string{
|
||||||
|
XForwardedProto,
|
||||||
|
XForwardedFor,
|
||||||
|
XForwardedHost,
|
||||||
|
XForwardedPort,
|
||||||
|
XForwardedServer,
|
||||||
|
XRealIp,
|
||||||
|
}
|
||||||
|
|
48
vendor/github.com/vulcand/oxy/forward/rewrite.go
generated
vendored
48
vendor/github.com/vulcand/oxy/forward/rewrite.go
generated
vendored
|
@ -15,30 +15,36 @@ type HeaderRewriter struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (rw *HeaderRewriter) Rewrite(req *http.Request) {
|
func (rw *HeaderRewriter) Rewrite(req *http.Request) {
|
||||||
|
if !rw.TrustForwardHeader {
|
||||||
|
utils.RemoveHeaders(req.Header, XHeaders...)
|
||||||
|
}
|
||||||
|
|
||||||
if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
|
if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
|
||||||
if rw.TrustForwardHeader {
|
|
||||||
if prior, ok := req.Header[XForwardedFor]; ok {
|
if prior, ok := req.Header[XForwardedFor]; ok {
|
||||||
clientIP = strings.Join(prior, ", ") + ", " + clientIP
|
req.Header.Set(XForwardedFor, strings.Join(prior, ", ")+", "+clientIP)
|
||||||
}
|
} else {
|
||||||
}
|
|
||||||
req.Header.Set(XForwardedFor, clientIP)
|
req.Header.Set(XForwardedFor, clientIP)
|
||||||
}
|
}
|
||||||
|
|
||||||
if xfp := req.Header.Get(XForwardedProto); xfp != "" && rw.TrustForwardHeader {
|
if req.Header.Get(XRealIp) == "" {
|
||||||
req.Header.Set(XForwardedProto, xfp)
|
req.Header.Set(XRealIp, clientIP)
|
||||||
} else if req.TLS != nil {
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
xfProto := req.Header.Get(XForwardedProto)
|
||||||
|
if xfProto == "" {
|
||||||
|
if req.TLS != nil {
|
||||||
req.Header.Set(XForwardedProto, "https")
|
req.Header.Set(XForwardedProto, "https")
|
||||||
} else {
|
} else {
|
||||||
req.Header.Set(XForwardedProto, "http")
|
req.Header.Set(XForwardedProto, "http")
|
||||||
}
|
}
|
||||||
|
|
||||||
if xfp := req.Header.Get(XForwardedPort); xfp != "" && rw.TrustForwardHeader {
|
|
||||||
req.Header.Set(XForwardedPort, xfp)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if xfh := req.Header.Get(XForwardedHost); xfh != "" && rw.TrustForwardHeader {
|
if xfp := req.Header.Get(XForwardedPort); xfp == "" {
|
||||||
req.Header.Set(XForwardedHost, xfh)
|
req.Header.Set(XForwardedPort, forwardedPort(req))
|
||||||
} else if req.Host != "" {
|
}
|
||||||
|
|
||||||
|
if xfHost := req.Header.Get(XForwardedHost); xfHost == "" && req.Host != "" {
|
||||||
req.Header.Set(XForwardedHost, req.Host)
|
req.Header.Set(XForwardedHost, req.Host)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -50,3 +56,19 @@ func (rw *HeaderRewriter) Rewrite(req *http.Request) {
|
||||||
// connection, regardless of what the client sent to us.
|
// connection, regardless of what the client sent to us.
|
||||||
utils.RemoveHeaders(req.Header, HopHeaders...)
|
utils.RemoveHeaders(req.Header, HopHeaders...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func forwardedPort(req *http.Request) string {
|
||||||
|
if req == nil {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, port, err := net.SplitHostPort(req.Host); err == nil && port != "" {
|
||||||
|
return port
|
||||||
|
}
|
||||||
|
|
||||||
|
if req.TLS != nil {
|
||||||
|
return "443"
|
||||||
|
}
|
||||||
|
|
||||||
|
return "80"
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue