Enhance Trust Forwarded Headers

glide.lock

@@ -1,5 +1,5 @@
-hash: ed8bed99f9096c408e34756a9c8eafd366d66f624a3e75a3fe7f84a2c5c98fa1
+hash: 45cf1c60c4c2c584ee9514e24dee16debb8e88e59517a4b82ec91600b8904dfe
-updated: 2017-09-30T18:32:16.848940186+02:00
+updated: 2017-10-23T15:19:16.848940186+02:00
 imports:
 - name: cloud.google.com/go
   version: 2e6a95edb1071d750f6d7db777bf66cd2997af6c
@@ -481,7 +481,7 @@ imports:
 - name: github.com/urfave/negroni
   version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9
 - name: github.com/vulcand/oxy
-  version: 4b280f86f847bcdfd921dd1ffa9ae7949dc855ee
+  version: c66eb2065193ca9264781f951e92c245b2ec81c2
   repo: https://github.com/containous/oxy.git
   vcs: git
   subpackages:

glide.yaml

@@ -12,7 +12,7 @@ import:
 - package: github.com/cenk/backoff
 - package: github.com/containous/flaeg
 - package: github.com/vulcand/oxy
-  version: 4b280f86f847bcdfd921dd1ffa9ae7949dc855ee
+  version: c66eb2065193ca9264781f951e92c245b2ec81c2
   repo: https://github.com/containous/oxy.git
   vcs: git
   subpackages:

vendor/github.com/vulcand/oxy/forward/headers.go

@@ -6,6 +6,7 @@ const (
 	XForwardedHost         = "X-Forwarded-Host"
 	XForwardedPort         = "X-Forwarded-Port"
 	XForwardedServer       = "X-Forwarded-Server"
+	XRealIp                = "X-Real-Ip"
 	Connection             = "Connection"
 	KeepAlive              = "Keep-Alive"
 	ProxyAuthenticate      = "Proxy-Authenticate"
@@ -50,3 +51,12 @@ var WebsocketUpgradeHeaders = []string{
 	Connection,
 	SecWebsocketAccept,
 }
+
+var XHeaders = []string{
+	XForwardedProto,
+	XForwardedFor,
+	XForwardedHost,
+	XForwardedPort,
+	XForwardedServer,
+	XRealIp,
+}

vendor/github.com/vulcand/oxy/forward/rewrite.go

@@ -15,30 +15,36 @@ type HeaderRewriter struct {
 }
 
 func (rw *HeaderRewriter) Rewrite(req *http.Request) {
+	if !rw.TrustForwardHeader {
+		utils.RemoveHeaders(req.Header, XHeaders...)
+	}
+
 	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
-		if rw.TrustForwardHeader {
+		if prior, ok := req.Header[XForwardedFor]; ok {
-			if prior, ok := req.Header[XForwardedFor]; ok {
+			req.Header.Set(XForwardedFor, strings.Join(prior, ", ")+", "+clientIP)
-				clientIP = strings.Join(prior, ", ") + ", " + clientIP
+		} else {
-			}
+			req.Header.Set(XForwardedFor, clientIP)
+		}
+
+		if req.Header.Get(XRealIp) == "" {
+			req.Header.Set(XRealIp, clientIP)
 		}
-		req.Header.Set(XForwardedFor, clientIP)
 	}
 
-	if xfp := req.Header.Get(XForwardedProto); xfp != "" && rw.TrustForwardHeader {
+	xfProto := req.Header.Get(XForwardedProto)
-		req.Header.Set(XForwardedProto, xfp)
+	if xfProto == "" {
-	} else if req.TLS != nil {
+		if req.TLS != nil {
-		req.Header.Set(XForwardedProto, "https")
+			req.Header.Set(XForwardedProto, "https")
-	} else {
+		} else {
-		req.Header.Set(XForwardedProto, "http")
+			req.Header.Set(XForwardedProto, "http")
+		}
 	}
 
-	if xfp := req.Header.Get(XForwardedPort); xfp != "" && rw.TrustForwardHeader {
+	if xfp := req.Header.Get(XForwardedPort); xfp == "" {
-		req.Header.Set(XForwardedPort, xfp)
+		req.Header.Set(XForwardedPort, forwardedPort(req))
 	}
 
-	if xfh := req.Header.Get(XForwardedHost); xfh != "" && rw.TrustForwardHeader {
+	if xfHost := req.Header.Get(XForwardedHost); xfHost == "" && req.Host != "" {
-		req.Header.Set(XForwardedHost, xfh)
-	} else if req.Host != "" {
 		req.Header.Set(XForwardedHost, req.Host)
 	}
 
@@ -50,3 +56,19 @@ func (rw *HeaderRewriter) Rewrite(req *http.Request) {
 	// connection, regardless of what the client sent to us.
 	utils.RemoveHeaders(req.Header, HopHeaders...)
 }
+
+func forwardedPort(req *http.Request) string {
+	if req == nil {
+		return ""
+	}
+
+	if _, port, err := net.SplitHostPort(req.Host); err == nil && port != "" {
+		return port
+	}
+
+	if req.TLS != nil {
+		return "443"
+	}
+
+	return "80"
+}