Add forwarded headers on entry point configuration
This commit is contained in:
parent
7efafa5a2c
commit
a79d6aa669
9 changed files with 239 additions and 23 deletions
|
@ -94,8 +94,7 @@ Complete documentation is available at https://traefik.io`,
|
|||
Config: traefikConfiguration,
|
||||
DefaultPointersConfig: traefikPointersConfiguration,
|
||||
Run: func() error {
|
||||
runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile)
|
||||
return nil
|
||||
return runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile)
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -192,7 +191,7 @@ Complete documentation is available at https://traefik.io`,
|
|||
os.Exit(0)
|
||||
}
|
||||
|
||||
func runCmd(staticConfiguration *static.Configuration, configFile string) {
|
||||
func runCmd(staticConfiguration *static.Configuration, configFile string) error {
|
||||
configureLogging(staticConfiguration)
|
||||
|
||||
if len(configFile) > 0 {
|
||||
|
@ -247,8 +246,7 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) {
|
|||
|
||||
serverEntryPoint, err := server.NewEntryPoint(ctx, config)
|
||||
if err != nil {
|
||||
logger.Errorf("Error while building entryPoint: %v", err)
|
||||
continue
|
||||
return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
|
||||
}
|
||||
|
||||
serverEntryPoint.RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider)
|
||||
|
@ -315,6 +313,7 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) {
|
|||
svr.Wait()
|
||||
log.WithoutContext().Info("Shutting down")
|
||||
logrus.Exit(0)
|
||||
return nil
|
||||
}
|
||||
|
||||
func configureLogging(staticConfiguration *static.Configuration) {
|
||||
|
|
|
@ -14,6 +14,13 @@ type EntryPoint struct {
|
|||
Transport *EntryPointsTransport
|
||||
TLS *tls.TLS
|
||||
ProxyProtocol *ProxyProtocol
|
||||
ForwardedHeaders *ForwardedHeaders
|
||||
}
|
||||
|
||||
// ForwardedHeaders Trust client forwarding headers.
|
||||
type ForwardedHeaders struct {
|
||||
Insecure bool
|
||||
TrustedIPs []string
|
||||
}
|
||||
|
||||
// ProxyProtocol contains Proxy-Protocol configuration.
|
||||
|
@ -67,6 +74,7 @@ func (ep *EntryPoints) Set(value string) error {
|
|||
Address: result["address"],
|
||||
TLS: configTLS,
|
||||
ProxyProtocol: makeEntryPointProxyProtocol(result),
|
||||
ForwardedHeaders: makeEntryPointForwardedHeaders(result),
|
||||
}
|
||||
|
||||
return nil
|
||||
|
@ -167,3 +175,15 @@ func toBool(conf map[string]string, key string) bool {
|
|||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func makeEntryPointForwardedHeaders(result map[string]string) *ForwardedHeaders {
|
||||
forwardedHeaders := &ForwardedHeaders{}
|
||||
forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
|
||||
|
||||
fhTrustedIPs := result["forwardedheaders_trustedips"]
|
||||
if len(fhTrustedIPs) > 0 {
|
||||
forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",")
|
||||
}
|
||||
|
||||
return forwardedHeaders
|
||||
}
|
||||
|
|
|
@ -206,6 +206,7 @@ func TestEntryPoints_Set(t *testing.T) {
|
|||
Insecure: false,
|
||||
TrustedIPs: []string{"192.168.0.1"},
|
||||
},
|
||||
ForwardedHeaders: &ForwardedHeaders{},
|
||||
// FIXME Test ServersTransport
|
||||
},
|
||||
},
|
||||
|
@ -234,6 +235,7 @@ func TestEntryPoints_Set(t *testing.T) {
|
|||
Insecure: false,
|
||||
TrustedIPs: []string{"192.168.0.1"},
|
||||
},
|
||||
ForwardedHeaders: &ForwardedHeaders{},
|
||||
// FIXME Test ServersTransport
|
||||
},
|
||||
},
|
||||
|
@ -241,7 +243,9 @@ func TestEntryPoints_Set(t *testing.T) {
|
|||
name: "default",
|
||||
expression: "Name:foo",
|
||||
expectedEntryPointName: "foo",
|
||||
expectedEntryPoint: &EntryPoint{},
|
||||
expectedEntryPoint: &EntryPoint{
|
||||
ForwardedHeaders: &ForwardedHeaders{},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "ProxyProtocol insecure true",
|
||||
|
@ -249,6 +253,7 @@ func TestEntryPoints_Set(t *testing.T) {
|
|||
expectedEntryPointName: "foo",
|
||||
expectedEntryPoint: &EntryPoint{
|
||||
ProxyProtocol: &ProxyProtocol{Insecure: true},
|
||||
ForwardedHeaders: &ForwardedHeaders{},
|
||||
},
|
||||
},
|
||||
{
|
||||
|
@ -257,6 +262,7 @@ func TestEntryPoints_Set(t *testing.T) {
|
|||
expectedEntryPointName: "foo",
|
||||
expectedEntryPoint: &EntryPoint{
|
||||
ProxyProtocol: &ProxyProtocol{},
|
||||
ForwardedHeaders: &ForwardedHeaders{},
|
||||
},
|
||||
},
|
||||
{
|
||||
|
@ -267,6 +273,7 @@ func TestEntryPoints_Set(t *testing.T) {
|
|||
ProxyProtocol: &ProxyProtocol{
|
||||
TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
|
||||
},
|
||||
ForwardedHeaders: &ForwardedHeaders{},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
@ -184,7 +184,10 @@ func (c *Configuration) SetEffectiveConfiguration(configFile string) {
|
|||
entryPoint.Transport.RespondingTimeouts = &RespondingTimeouts{
|
||||
IdleTimeout: parse.Duration(DefaultIdleTimeout),
|
||||
}
|
||||
}
|
||||
|
||||
if entryPoint.ForwardedHeaders == nil {
|
||||
entryPoint.ForwardedHeaders = &ForwardedHeaders{}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
51
middlewares/forwardedheaders/forwarded_header.go
Normal file
51
middlewares/forwardedheaders/forwarded_header.go
Normal file
|
@ -0,0 +1,51 @@
|
|||
package forwardedheaders
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/containous/traefik/ip"
|
||||
"github.com/vulcand/oxy/forward"
|
||||
"github.com/vulcand/oxy/utils"
|
||||
)
|
||||
|
||||
// XForwarded filter for XForwarded headers.
|
||||
type XForwarded struct {
|
||||
insecure bool
|
||||
trustedIps []string
|
||||
ipChecker *ip.Checker
|
||||
next http.Handler
|
||||
}
|
||||
|
||||
// NewXForwarded creates a new XForwarded.
|
||||
func NewXForwarded(insecure bool, trustedIps []string, next http.Handler) (*XForwarded, error) {
|
||||
var ipChecker *ip.Checker
|
||||
if len(trustedIps) > 0 {
|
||||
var err error
|
||||
ipChecker, err = ip.NewChecker(trustedIps)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return &XForwarded{
|
||||
insecure: insecure,
|
||||
trustedIps: trustedIps,
|
||||
ipChecker: ipChecker,
|
||||
next: next,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (x *XForwarded) isTrustedIP(ip string) bool {
|
||||
if x.ipChecker == nil {
|
||||
return false
|
||||
}
|
||||
return x.ipChecker.IsAuthorized(ip) == nil
|
||||
}
|
||||
|
||||
func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
if !x.insecure && !x.isTrustedIP(r.RemoteAddr) {
|
||||
utils.RemoveHeaders(r.Header, forward.XHeaders...)
|
||||
}
|
||||
|
||||
x.next.ServeHTTP(w, r)
|
||||
}
|
128
middlewares/forwardedheaders/forwarded_header_test.go
Normal file
128
middlewares/forwardedheaders/forwarded_header_test.go
Normal file
|
@ -0,0 +1,128 @@
|
|||
package forwardedheaders
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestServeHTTP(t *testing.T) {
|
||||
testCases := []struct {
|
||||
desc string
|
||||
insecure bool
|
||||
trustedIps []string
|
||||
incomingHeaders map[string]string
|
||||
remoteAddr string
|
||||
expectedHeaders map[string]string
|
||||
}{
|
||||
{
|
||||
desc: "all Empty",
|
||||
insecure: true,
|
||||
trustedIps: nil,
|
||||
remoteAddr: "",
|
||||
incomingHeaders: map[string]string{},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure true with incoming X-Forwarded-For",
|
||||
insecure: true,
|
||||
trustedIps: nil,
|
||||
remoteAddr: "",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For",
|
||||
insecure: false,
|
||||
trustedIps: nil,
|
||||
remoteAddr: "",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips",
|
||||
insecure: false,
|
||||
trustedIps: []string{"10.0.1.100"},
|
||||
remoteAddr: "10.0.1.100:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips",
|
||||
insecure: false,
|
||||
trustedIps: []string{"10.0.1.100"},
|
||||
remoteAddr: "10.0.1.101:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR",
|
||||
insecure: false,
|
||||
trustedIps: []string{"1.2.3.4/24"},
|
||||
remoteAddr: "1.2.3.156:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR",
|
||||
insecure: false,
|
||||
trustedIps: []string{"1.2.3.4/24"},
|
||||
remoteAddr: "10.0.1.101:80",
|
||||
incomingHeaders: map[string]string{
|
||||
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
|
||||
},
|
||||
expectedHeaders: map[string]string{
|
||||
"X-Forwarded-for": "",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range testCases {
|
||||
test := test
|
||||
t.Run(test.desc, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
req, err := http.NewRequest(http.MethodGet, "", nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
req.RemoteAddr = test.remoteAddr
|
||||
|
||||
for k, v := range test.incomingHeaders {
|
||||
req.Header.Set(k, v)
|
||||
}
|
||||
|
||||
m, err := NewXForwarded(test.insecure, test.trustedIps, http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {}))
|
||||
require.NoError(t, err)
|
||||
|
||||
m.ServeHTTP(nil, req)
|
||||
|
||||
for k, v := range test.expectedHeaders {
|
||||
assert.Equal(t, v, req.Header.Get(k))
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -218,7 +218,7 @@ func (s *Server) startHTTPServers() {
|
|||
// Use an empty configuration in order to initialize the default handlers with internal routes
|
||||
handlers := s.applyConfiguration(context.Background(), config.Configuration{})
|
||||
for entryPointName, handler := range handlers {
|
||||
s.entryPoints[entryPointName].httpRouter.UpdateHandler(handler)
|
||||
s.entryPoints[entryPointName].switcher.UpdateHandler(handler)
|
||||
}
|
||||
|
||||
for entryPointName, entryPoint := range s.entryPoints {
|
||||
|
|
|
@ -45,7 +45,7 @@ func (s *Server) loadConfiguration(configMsg config.Message) {
|
|||
s.metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
|
||||
|
||||
for entryPointName, handler := range handlers {
|
||||
s.entryPoints[entryPointName].httpRouter.UpdateHandler(handler)
|
||||
s.entryPoints[entryPointName].switcher.UpdateHandler(handler)
|
||||
}
|
||||
|
||||
for entryPointName, entryPoint := range s.entryPoints {
|
||||
|
|
|
@ -17,6 +17,7 @@ import (
|
|||
"github.com/containous/traefik/ip"
|
||||
"github.com/containous/traefik/log"
|
||||
"github.com/containous/traefik/middlewares"
|
||||
"github.com/containous/traefik/middlewares/forwardedheaders"
|
||||
"github.com/containous/traefik/old/configuration"
|
||||
traefiktls "github.com/containous/traefik/tls"
|
||||
"github.com/containous/traefik/tls/generate"
|
||||
|
@ -30,15 +31,22 @@ type EntryPoints map[string]*EntryPoint
|
|||
|
||||
// NewEntryPoint creates a new EntryPoint
|
||||
func NewEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*EntryPoint, error) {
|
||||
logger := log.FromContext(ctx)
|
||||
var err error
|
||||
|
||||
router := middlewares.NewHandlerSwitcher(buildDefaultHTTPRouter())
|
||||
switcher := middlewares.NewHandlerSwitcher(buildDefaultHTTPRouter())
|
||||
handler, err := forwardedheaders.NewXForwarded(
|
||||
configuration.ForwardedHeaders.Insecure,
|
||||
configuration.ForwardedHeaders.TrustedIPs,
|
||||
switcher)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
tracker := newHijackConnectionTracker()
|
||||
|
||||
listener, err := buildListener(ctx, configuration)
|
||||
if err != nil {
|
||||
logger.Fatalf("Error preparing server: %v", err)
|
||||
return nil, fmt.Errorf("error preparing server: %v", err)
|
||||
}
|
||||
|
||||
var tlsConfig *tls.Config
|
||||
|
@ -56,11 +64,11 @@ func NewEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*Entr
|
|||
}
|
||||
|
||||
entryPoint := &EntryPoint{
|
||||
httpRouter: router,
|
||||
switcher: switcher,
|
||||
transportConfiguration: configuration.Transport,
|
||||
hijackConnectionTracker: tracker,
|
||||
listener: listener,
|
||||
httpServer: buildServer(ctx, configuration, tlsConfig, router, tracker),
|
||||
httpServer: buildServer(ctx, configuration, tlsConfig, handler, tracker),
|
||||
Certs: certificateStore,
|
||||
}
|
||||
|
||||
|
@ -76,7 +84,7 @@ type EntryPoint struct {
|
|||
RouteAppenderFactory RouteAppenderFactory
|
||||
httpServer *h2c.Server
|
||||
listener net.Listener
|
||||
httpRouter *middlewares.HandlerSwitcher
|
||||
switcher *middlewares.HandlerSwitcher
|
||||
Certs *traefiktls.CertificateStore
|
||||
OnDemandListener func(string) (*tls.Certificate, error)
|
||||
TLSALPNGetter func(string) (*tls.Certificate, error)
|
||||
|
|
Loading…
Reference in a new issue