Add forwarded headers on entry point configuration

This commit is contained in:
SALLEYRON Julien 2019-01-15 09:44:03 +01:00 committed by Traefiker Bot
parent 7efafa5a2c
commit a79d6aa669
9 changed files with 239 additions and 23 deletions

View file

@ -94,8 +94,7 @@ Complete documentation is available at https://traefik.io`,
Config: traefikConfiguration,
DefaultPointersConfig: traefikPointersConfiguration,
Run: func() error {
runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile)
return nil
return runCmd(&traefikConfiguration.Configuration, traefikConfiguration.ConfigFile)
},
}
@ -192,7 +191,7 @@ Complete documentation is available at https://traefik.io`,
os.Exit(0)
}
func runCmd(staticConfiguration *static.Configuration, configFile string) {
func runCmd(staticConfiguration *static.Configuration, configFile string) error {
configureLogging(staticConfiguration)
if len(configFile) > 0 {
@ -247,8 +246,7 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) {
serverEntryPoint, err := server.NewEntryPoint(ctx, config)
if err != nil {
logger.Errorf("Error while building entryPoint: %v", err)
continue
return fmt.Errorf("error while building entryPoint %s: %v", entryPointName, err)
}
serverEntryPoint.RouteAppenderFactory = router.NewRouteAppenderFactory(*staticConfiguration, entryPointName, acmeProvider)
@ -315,6 +313,7 @@ func runCmd(staticConfiguration *static.Configuration, configFile string) {
svr.Wait()
log.WithoutContext().Info("Shutting down")
logrus.Exit(0)
return nil
}
func configureLogging(staticConfiguration *static.Configuration) {

View file

@ -14,6 +14,13 @@ type EntryPoint struct {
Transport *EntryPointsTransport
TLS *tls.TLS
ProxyProtocol *ProxyProtocol
ForwardedHeaders *ForwardedHeaders
}
// ForwardedHeaders Trust client forwarding headers.
type ForwardedHeaders struct {
Insecure bool
TrustedIPs []string
}
// ProxyProtocol contains Proxy-Protocol configuration.
@ -67,6 +74,7 @@ func (ep *EntryPoints) Set(value string) error {
Address: result["address"],
TLS: configTLS,
ProxyProtocol: makeEntryPointProxyProtocol(result),
ForwardedHeaders: makeEntryPointForwardedHeaders(result),
}
return nil
@ -167,3 +175,15 @@ func toBool(conf map[string]string, key string) bool {
}
return false
}
func makeEntryPointForwardedHeaders(result map[string]string) *ForwardedHeaders {
forwardedHeaders := &ForwardedHeaders{}
forwardedHeaders.Insecure = toBool(result, "forwardedheaders_insecure")
fhTrustedIPs := result["forwardedheaders_trustedips"]
if len(fhTrustedIPs) > 0 {
forwardedHeaders.TrustedIPs = strings.Split(fhTrustedIPs, ",")
}
return forwardedHeaders
}

View file

@ -206,6 +206,7 @@ func TestEntryPoints_Set(t *testing.T) {
Insecure: false,
TrustedIPs: []string{"192.168.0.1"},
},
ForwardedHeaders: &ForwardedHeaders{},
// FIXME Test ServersTransport
},
},
@ -234,6 +235,7 @@ func TestEntryPoints_Set(t *testing.T) {
Insecure: false,
TrustedIPs: []string{"192.168.0.1"},
},
ForwardedHeaders: &ForwardedHeaders{},
// FIXME Test ServersTransport
},
},
@ -241,7 +243,9 @@ func TestEntryPoints_Set(t *testing.T) {
name: "default",
expression: "Name:foo",
expectedEntryPointName: "foo",
expectedEntryPoint: &EntryPoint{},
expectedEntryPoint: &EntryPoint{
ForwardedHeaders: &ForwardedHeaders{},
},
},
{
name: "ProxyProtocol insecure true",
@ -249,6 +253,7 @@ func TestEntryPoints_Set(t *testing.T) {
expectedEntryPointName: "foo",
expectedEntryPoint: &EntryPoint{
ProxyProtocol: &ProxyProtocol{Insecure: true},
ForwardedHeaders: &ForwardedHeaders{},
},
},
{
@ -257,6 +262,7 @@ func TestEntryPoints_Set(t *testing.T) {
expectedEntryPointName: "foo",
expectedEntryPoint: &EntryPoint{
ProxyProtocol: &ProxyProtocol{},
ForwardedHeaders: &ForwardedHeaders{},
},
},
{
@ -267,6 +273,7 @@ func TestEntryPoints_Set(t *testing.T) {
ProxyProtocol: &ProxyProtocol{
TrustedIPs: []string{"10.0.0.3/24", "20.0.0.3/24"},
},
ForwardedHeaders: &ForwardedHeaders{},
},
},
}

View file

@ -184,7 +184,10 @@ func (c *Configuration) SetEffectiveConfiguration(configFile string) {
entryPoint.Transport.RespondingTimeouts = &RespondingTimeouts{
IdleTimeout: parse.Duration(DefaultIdleTimeout),
}
}
if entryPoint.ForwardedHeaders == nil {
entryPoint.ForwardedHeaders = &ForwardedHeaders{}
}
}

View file

@ -0,0 +1,51 @@
package forwardedheaders
import (
"net/http"
"github.com/containous/traefik/ip"
"github.com/vulcand/oxy/forward"
"github.com/vulcand/oxy/utils"
)
// XForwarded filter for XForwarded headers.
type XForwarded struct {
insecure bool
trustedIps []string
ipChecker *ip.Checker
next http.Handler
}
// NewXForwarded creates a new XForwarded.
func NewXForwarded(insecure bool, trustedIps []string, next http.Handler) (*XForwarded, error) {
var ipChecker *ip.Checker
if len(trustedIps) > 0 {
var err error
ipChecker, err = ip.NewChecker(trustedIps)
if err != nil {
return nil, err
}
}
return &XForwarded{
insecure: insecure,
trustedIps: trustedIps,
ipChecker: ipChecker,
next: next,
}, nil
}
func (x *XForwarded) isTrustedIP(ip string) bool {
if x.ipChecker == nil {
return false
}
return x.ipChecker.IsAuthorized(ip) == nil
}
func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if !x.insecure && !x.isTrustedIP(r.RemoteAddr) {
utils.RemoveHeaders(r.Header, forward.XHeaders...)
}
x.next.ServeHTTP(w, r)
}

View file

@ -0,0 +1,128 @@
package forwardedheaders
import (
"net/http"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestServeHTTP(t *testing.T) {
testCases := []struct {
desc string
insecure bool
trustedIps []string
incomingHeaders map[string]string
remoteAddr string
expectedHeaders map[string]string
}{
{
desc: "all Empty",
insecure: true,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
{
desc: "insecure true with incoming X-Forwarded-For",
insecure: true,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
},
{
desc: "insecure false with incoming X-Forwarded-For",
insecure: false,
trustedIps: nil,
remoteAddr: "",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips",
insecure: false,
trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.100:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips",
insecure: false,
trustedIps: []string{"10.0.1.100"},
remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and valid Trusted Ips CIDR",
insecure: false,
trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "1.2.3.156:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
},
{
desc: "insecure false with incoming X-Forwarded-For and invalid Trusted Ips CIDR",
insecure: false,
trustedIps: []string{"1.2.3.4/24"},
remoteAddr: "10.0.1.101:80",
incomingHeaders: map[string]string{
"X-Forwarded-for": "10.0.1.0, 10.0.1.12",
},
expectedHeaders: map[string]string{
"X-Forwarded-for": "",
},
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
req, err := http.NewRequest(http.MethodGet, "", nil)
require.NoError(t, err)
req.RemoteAddr = test.remoteAddr
for k, v := range test.incomingHeaders {
req.Header.Set(k, v)
}
m, err := NewXForwarded(test.insecure, test.trustedIps, http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {}))
require.NoError(t, err)
m.ServeHTTP(nil, req)
for k, v := range test.expectedHeaders {
assert.Equal(t, v, req.Header.Get(k))
}
})
}
}

View file

@ -218,7 +218,7 @@ func (s *Server) startHTTPServers() {
// Use an empty configuration in order to initialize the default handlers with internal routes
handlers := s.applyConfiguration(context.Background(), config.Configuration{})
for entryPointName, handler := range handlers {
s.entryPoints[entryPointName].httpRouter.UpdateHandler(handler)
s.entryPoints[entryPointName].switcher.UpdateHandler(handler)
}
for entryPointName, entryPoint := range s.entryPoints {

View file

@ -45,7 +45,7 @@ func (s *Server) loadConfiguration(configMsg config.Message) {
s.metricsRegistry.LastConfigReloadSuccessGauge().Set(float64(time.Now().Unix()))
for entryPointName, handler := range handlers {
s.entryPoints[entryPointName].httpRouter.UpdateHandler(handler)
s.entryPoints[entryPointName].switcher.UpdateHandler(handler)
}
for entryPointName, entryPoint := range s.entryPoints {

View file

@ -17,6 +17,7 @@ import (
"github.com/containous/traefik/ip"
"github.com/containous/traefik/log"
"github.com/containous/traefik/middlewares"
"github.com/containous/traefik/middlewares/forwardedheaders"
"github.com/containous/traefik/old/configuration"
traefiktls "github.com/containous/traefik/tls"
"github.com/containous/traefik/tls/generate"
@ -30,15 +31,22 @@ type EntryPoints map[string]*EntryPoint
// NewEntryPoint creates a new EntryPoint
func NewEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*EntryPoint, error) {
logger := log.FromContext(ctx)
var err error
router := middlewares.NewHandlerSwitcher(buildDefaultHTTPRouter())
switcher := middlewares.NewHandlerSwitcher(buildDefaultHTTPRouter())
handler, err := forwardedheaders.NewXForwarded(
configuration.ForwardedHeaders.Insecure,
configuration.ForwardedHeaders.TrustedIPs,
switcher)
if err != nil {
return nil, err
}
tracker := newHijackConnectionTracker()
listener, err := buildListener(ctx, configuration)
if err != nil {
logger.Fatalf("Error preparing server: %v", err)
return nil, fmt.Errorf("error preparing server: %v", err)
}
var tlsConfig *tls.Config
@ -56,11 +64,11 @@ func NewEntryPoint(ctx context.Context, configuration *static.EntryPoint) (*Entr
}
entryPoint := &EntryPoint{
httpRouter: router,
switcher: switcher,
transportConfiguration: configuration.Transport,
hijackConnectionTracker: tracker,
listener: listener,
httpServer: buildServer(ctx, configuration, tlsConfig, router, tracker),
httpServer: buildServer(ctx, configuration, tlsConfig, handler, tracker),
Certs: certificateStore,
}
@ -76,7 +84,7 @@ type EntryPoint struct {
RouteAppenderFactory RouteAppenderFactory
httpServer *h2c.Server
listener net.Listener
httpRouter *middlewares.HandlerSwitcher
switcher *middlewares.HandlerSwitcher
Certs *traefiktls.CertificateStore
OnDemandListener func(string) (*tls.Certificate, error)
TLSALPNGetter func(string) (*tls.Certificate, error)