Add forwarded headers on entry point configuration

This commit is contained in:
SALLEYRON Julien 2019-01-15 09:44:03 +01:00 committed by Traefiker Bot
parent 7efafa5a2c
commit a79d6aa669
9 changed files with 239 additions and 23 deletions

View file

@ -94,8 +94,7 @@ Complete documentation is available at https://traefik.io`,
Config: traefikConfiguration, Config: traefikConfiguration,
DefaultPointersConfig: traefikPointersConfiguration, DefaultPointersConfig: traefikPointersConfiguration,
Run: func() error { Run: func() error {
runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile) return runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile)
return nil
}, },
} }
@ -192,7 +191,7 @@ Complete documentation is available at https://traefik.io`,
os.Exit(0) os.Exit(0)
} }
func runCmd(staticConfiguration *static.Configuration, configFile string) { func runCmd(staticConfiguration *static.Configuration, configFile string) error {
configureLogging(staticConfiguration) configureLogging(staticConfiguration)
if len(configFile) > 0 { if len(configFile) > 0 {
@ -247,8 +246,7 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) {
serverEntryPoint, err := server.NewEntryPoint(ctx, config) serverEntryPoint, err := server.NewEntryPoint(ctx, config)
if err != nil { if err != nil {
logger.Errorf("Error while building entryPoint: %v", err) return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
continue
} }
serverEntryPoint.RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider) serverEntryPoint.RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider)
@ -315,6 +313,7 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) {
svr.Wait() svr.Wait()
log.WithoutContext().Info("Shutting down") log.WithoutContext().Info("Shutting down")
logrus.Exit(0) logrus.Exit(0)
return nil
} }
func configureLogging(staticConfiguration *static.Configuration) { func configureLogging(staticConfiguration *static.Configuration) {

View file

@ -10,10 +10,17 @@ import (
// EntryPoint holds the entry point configuration. // EntryPoint holds the entry point configuration.
type EntryPoint struct { type EntryPoint struct {
Address string Address string
Transport *EntryPointsTransport Transport *EntryPointsTransport
TLS *tls.TLS TLS *tls.TLS
ProxyProtocol *ProxyProtocol ProxyProtocol *ProxyProtocol
ForwardedHeaders *ForwardedHeaders
}
// ForwardedHeaders Trust client forwarding headers.
type ForwardedHeaders struct {
Insecure bool
TrustedIPs []string
} }
// ProxyProtocol contains Proxy-Protocol configuration. // ProxyProtocol contains Proxy-Protocol configuration.
@ -64,9 +71,10 @@ func (ep *EntryPoints) Set(value string) error {
} }
(*ep)[result["name"]] = &EntryPoint{ (*ep)[result["name"]] = &EntryPoint{
Address: result["address"], Address: result["address"],
TLS: configTLS, TLS: configTLS,
ProxyProtocol: makeEntryPointProxyProtocol(result), ProxyProtocol: makeEntryPointProxyProtocol(result),
ForwardedHeaders: makeEntryPointForwardedHeaders(result),
} }
return nil return nil
@ -167,3 +175,15 @@ func toBool(conf map[string]string, key string) bool {
} }
return false return false
} }
func makeEntryPointForwardedHeaders(result map[string]string) *ForwardedHeaders {
forwardedHeaders := &ForwardedHeaders{}
forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
fhTrustedIPs := result["forwardedheaders_trustedips"]
if len(fhTrustedIPs) > 0 {
forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",")
}
return forwardedHeaders
}

View file

@ -206,6 +206,7 @@ func TestEntryPoints_Set(t *testing.T) {
Insecure: false, Insecure: false,
TrustedIPs: []string{"192.168.0.1"}, TrustedIPs: []string{"192.168.0.1"},
}, },
ForwardedHeaders: &ForwardedHeaders{},
// FIXME Test ServersTransport // FIXME Test ServersTransport
}, },
}, },
@ -234,6 +235,7 @@ func TestEntryPoints_Set(t *testing.T) {
Insecure: false, Insecure: false,
TrustedIPs: []string{"192.168.0.1"}, TrustedIPs: []string{"192.168.0.1"},
}, },
ForwardedHeaders: &ForwardedHeaders{},
// FIXME Test ServersTransport // FIXME Test ServersTransport
}, },
}, },
@ -241,14 +243,17 @@ func TestEntryPoints_Set(t *testing.T) {
name: "default", name: "default",
expression: "Name:foo", expression: "Name:foo",
expectedEntryPointName: "foo", expectedEntryPointName: "foo",
expectedEntryPoint: &EntryPoint{}, expectedEntryPoint: &EntryPoint{
ForwardedHeaders: &ForwardedHeaders{},
},
}, },
{ {
name: "ProxyProtocol insecure true", name: "ProxyProtocol insecure true",
expression: "Name:foo ProxyProtocol.insecure:true", expression: "Name:foo ProxyProtocol.insecure:true",
expectedEntryPointName: "foo", expectedEntryPointName: "foo",
expectedEntryPoint: &EntryPoint{ expectedEntryPoint: &EntryPoint{
ProxyProtocol: &ProxyProtocol{Insecure: true}, ProxyProtocol: &ProxyProtocol{Insecure: true},
ForwardedHeaders: &ForwardedHeaders{},
}, },
}, },
{ {
@ -256,7 +261,8 @@ func TestEntryPoints_Set(t *testing.T) {
expression: "Name:foo ProxyProtocol.insecure:false", expression: "Name:foo ProxyProtocol.insecure:false",
expectedEntryPointName: "foo", expectedEntryPointName: "foo",
expectedEntryPoint: &EntryPoint{ expectedEntryPoint: &EntryPoint{
ProxyProtocol: &ProxyProtocol{}, ProxyProtocol: &ProxyProtocol{},
ForwardedHeaders: &ForwardedHeaders{},
}, },
}, },
{ {
@ -267,6 +273,7 @@ func TestEntryPoints_Set(t *testing.T) {
ProxyProtocol: &ProxyProtocol{ ProxyProtocol: &ProxyProtocol{
TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"}, TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
}, },
ForwardedHeaders: &ForwardedHeaders{},
}, },
}, },
} }

View file

@ -184,7 +184,10 @@ func (c *Configuration) SetEffectiveConfiguration(configFile string) {
entryPoint.Transport.RespondingTimeouts = &RespondingTimeouts{ entryPoint.Transport.RespondingTimeouts = &RespondingTimeouts{
IdleTimeout: parse.Duration(DefaultIdleTimeout), IdleTimeout: parse.Duration(DefaultIdleTimeout),
} }
}
if entryPoint.ForwardedHeaders == nil {
entryPoint.ForwardedHeaders = &ForwardedHeaders{}
} }
} }

View file

@ -0,0 +1,51 @@
package forwardedheaders
import (
"net/http"
"github.com/containous/traefik/ip"
"github.com/vulcand/oxy/forward"
"github.com/vulcand/oxy/utils"
)
// XForwarded filter for XForwarded headers.
type XForwarded struct {
insecure bool
trustedIps []string
ipChecker *ip.Checker
next http.Handler
}
// NewXForwarded creates a new XForwarded.
func NewXForwarded(insecure bool, trustedIps []string, next http.Handler) (*XForwarded, error) {
var ipChecker *ip.Checker
if len(trustedIps) > 0 {
var err error
ipChecker, err = ip.NewChecker(trustedIps)
if err != nil {
return nil, err
}
}
return &XForwarded{
insecure: insecure,
trustedIps: trustedIps,
ipChecker: ipChecker,
next: next,
}, nil
}
func (x *XForwarded) isTrustedIP(ip string) bool {
if x.ipChecker == nil {
return false
}
return x.ipChecker.IsAuthorized(ip) == nil
}
func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if !x.insecure && !x.isTrustedIP(r.RemoteAddr) {
utils.RemoveHeaders(r.Header, forward.XHeaders...)
}
x.next.ServeHTTP(w, r)
}

View file

@ -0,0 +1,128 @@
package forwardedheaders
import (
"net/http"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestServeHTTP(t *testing.T) {
testCases := []struct {
desc string
insecure bool
trustedIps []string
incomingHeaders map[string]string
remoteAddr string
expectedHeaders map[string]string
}{
{
desc: "all Empty",
insecure: true,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
{
desc: "insecure true with incoming X-Forwarded-For",
insecure: true,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
},
{
desc: "insecure false with incoming X-Forwarded-For",
insecure: false,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips",
insecure: false,
trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.100:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips",
insecure: false,
trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR",
insecure: false,
trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "1.2.3.156:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR",
insecure: false,
trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
req, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req.RemoteAddr = test.remoteAddr
for k, v := range test.incomingHeaders {
req.Header.Set(k, v)
}
m, err := NewXForwarded(test.insecure, test.trustedIps, http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {}))
require.NoError(t, err)
m.ServeHTTP(nil, req)
for k, v := range test.expectedHeaders {
assert.Equal(t, v, req.Header.Get(k))
}
})
}
}

View file

@ -218,7 +218,7 @@ func (s *Server) startHTTPServers() {
// Use an empty configuration in order to initialize the default handlers with internal routes // Use an empty configuration in order to initialize the default handlers with internal routes
handlers := s.applyConfiguration(context.Background(), config.Configuration{}) handlers := s.applyConfiguration(context.Background(), config.Configuration{})
for entryPointName, handler := range handlers { for entryPointName, handler := range handlers {
s.entryPoints[entryPointName].httpRouter.UpdateHandler(handler) s.entryPoints[entryPointName].switcher.UpdateHandler(handler)
} }
for entryPointName, entryPoint := range s.entryPoints { for entryPointName, entryPoint := range s.entryPoints {

View file

@ -45,7 +45,7 @@ func (s *Server) loadConfiguration(configMsg config.Message) {
s.metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix())) s.metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
for entryPointName, handler := range handlers { for entryPointName, handler := range handlers {
s.entryPoints[entryPointName].httpRouter.UpdateHandler(handler) s.entryPoints[entryPointName].switcher.UpdateHandler(handler)
} }
for entryPointName, entryPoint := range s.entryPoints { for entryPointName, entryPoint := range s.entryPoints {

View file

@ -17,6 +17,7 @@ import (
"github.com/containous/traefik/ip" "github.com/containous/traefik/ip"
"github.com/containous/traefik/log" "github.com/containous/traefik/log"
"github.com/containous/traefik/middlewares" "github.com/containous/traefik/middlewares"
"github.com/containous/traefik/middlewares/forwardedheaders"
"github.com/containous/traefik/old/configuration" "github.com/containous/traefik/old/configuration"
traefiktls "github.com/containous/traefik/tls" traefiktls "github.com/containous/traefik/tls"
"github.com/containous/traefik/tls/generate" "github.com/containous/traefik/tls/generate"
@ -30,15 +31,22 @@ type EntryPoints map[string]*EntryPoint
// NewEntryPoint creates a new EntryPoint // NewEntryPoint creates a new EntryPoint
func NewEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*EntryPoint, error) { func NewEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*EntryPoint, error) {
logger := log.FromContext(ctx)
var err error var err error
router := middlewares.NewHandlerSwitcher(buildDefaultHTTPRouter()) switcher := middlewares.NewHandlerSwitcher(buildDefaultHTTPRouter())
handler, err := forwardedheaders.NewXForwarded(
configuration.ForwardedHeaders.Insecure,
configuration.ForwardedHeaders.TrustedIPs,
switcher)
if err != nil {
return nil, err
}
tracker := newHijackConnectionTracker() tracker := newHijackConnectionTracker()
listener, err := buildListener(ctx, configuration) listener, err := buildListener(ctx, configuration)
if err != nil { if err != nil {
logger.Fatalf("Error preparing server: %v", err) return nil, fmt.Errorf("error preparing server: %v", err)
} }
var tlsConfig *tls.Config var tlsConfig *tls.Config
@ -56,11 +64,11 @@ func NewEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*Entr
} }
entryPoint := &EntryPoint{ entryPoint := &EntryPoint{
httpRouter: router, switcher: switcher,
transportConfiguration: configuration.Transport, transportConfiguration: configuration.Transport,
hijackConnectionTracker: tracker, hijackConnectionTracker: tracker,
listener: listener, listener: listener,
httpServer: buildServer(ctx, configuration, tlsConfig, router, tracker), httpServer: buildServer(ctx, configuration, tlsConfig, handler, tracker),
Certs: certificateStore, Certs: certificateStore,
} }
@ -76,7 +84,7 @@ type EntryPoint struct {
RouteAppenderFactory RouteAppenderFactory RouteAppenderFactory RouteAppenderFactory
httpServer *h2c.Server httpServer *h2c.Server
listener net.Listener listener net.Listener
httpRouter *middlewares.HandlerSwitcher switcher *middlewares.HandlerSwitcher
Certs *traefiktls.CertificateStore Certs *traefiktls.CertificateStore
OnDemandListener func(string) (*tls.Certificate, error) OnDemandListener func(string) (*tls.Certificate, error)
TLSALPNGetter func(string) (*tls.Certificate, error) TLSALPNGetter func(string) (*tls.Certificate, error)