traefik/pkg/middlewares/auth/forward.go

package auth

import (
	"context"
	"errors"
	"fmt"
	"io"
	"net"
	"net/http"
	"regexp"
	"strings"
	"time"

	"github.com/opentracing/opentracing-go/ext"
	"github.com/traefik/traefik/v2/pkg/config/dynamic"
	"github.com/traefik/traefik/v2/pkg/log"
	"github.com/traefik/traefik/v2/pkg/middlewares"
	"github.com/traefik/traefik/v2/pkg/middlewares/connectionheader"
	"github.com/traefik/traefik/v2/pkg/tracing"
	"github.com/vulcand/oxy/forward"
	"github.com/vulcand/oxy/utils"
)

const (
	xForwardedURI     = "X-Forwarded-Uri"
	xForwardedMethod  = "X-Forwarded-Method"
	forwardedTypeName = "ForwardedAuthType"
)

// hopHeaders Hop-by-hop headers to be removed in the authentication request.
// http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
// Proxy-Authorization header is forwarded to the authentication server (see https://tools.ietf.org/html/rfc7235#section-4.4).
var hopHeaders = []string{
	forward.Connection,
	forward.KeepAlive,
	forward.Te, // canonicalized version of "TE"
	forward.Trailers,
	forward.TransferEncoding,
	forward.Upgrade,
}

type forwardAuth struct {
	address                  string
	authResponseHeaders      []string
	authResponseHeadersRegex *regexp.Regexp
	next                     http.Handler
	name                     string
	client                   http.Client
	trustForwardHeader       bool
	authRequestHeaders       []string
}

// NewForward creates a forward auth middleware.
func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAuth, name string) (http.Handler, error) {
	log.FromContext(middlewares.GetLoggerCtx(ctx, name, forwardedTypeName)).Debug("Creating middleware")

	fa := &forwardAuth{
		address:             config.Address,
		authResponseHeaders: config.AuthResponseHeaders,
		next:                next,
		name:                name,
		trustForwardHeader:  config.TrustForwardHeader,
		authRequestHeaders:  config.AuthRequestHeaders,
	}

	// Ensure our request client does not follow redirects
	fa.client = http.Client{
		CheckRedirect: func(r *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
		Timeout: 30 * time.Second,
	}

	if config.TLS != nil {
		tlsConfig, err := config.TLS.CreateTLSConfig()
		if err != nil {
			return nil, err
		}

		tr := http.DefaultTransport.(*http.Transport).Clone()
		tr.TLSClientConfig = tlsConfig
		fa.client.Transport = tr
	}

	if config.AuthResponseHeadersRegex != "" {
		re, err := regexp.Compile(config.AuthResponseHeadersRegex)
		if err != nil {
			return nil, fmt.Errorf("error compiling regular expression %s: %w", config.AuthResponseHeadersRegex, err)
		}
		fa.authResponseHeadersRegex = re
	}

	return connectionheader.Remover(fa), nil
}

func (fa *forwardAuth) GetTracingInformation() (string, ext.SpanKindEnum) {
	return fa.name, ext.SpanKindRPCClientEnum
}

func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
	logger := log.FromContext(middlewares.GetLoggerCtx(req.Context(), fa.name, forwardedTypeName))

	forwardReq, err := http.NewRequest(http.MethodGet, fa.address, nil)
	tracing.LogRequest(tracing.GetSpan(req), forwardReq)
	if err != nil {
		logMessage := fmt.Sprintf("Error calling %s. Cause %s", fa.address, err)
		logger.Debug(logMessage)
		tracing.SetErrorWithEvent(req, logMessage)

		rw.WriteHeader(http.StatusInternalServerError)
		return
	}

	// Ensure tracing headers are in the request before we copy the headers to the
	// forwardReq.
	tracing.InjectRequestHeaders(req)

	writeHeader(req, forwardReq, fa.trustForwardHeader, fa.authRequestHeaders)

	forwardResponse, forwardErr := fa.client.Do(forwardReq)
	if forwardErr != nil {
		logMessage := fmt.Sprintf("Error calling %s. Cause: %s", fa.address, forwardErr)
		logger.Debug(logMessage)
		tracing.SetErrorWithEvent(req, logMessage)

		rw.WriteHeader(http.StatusInternalServerError)
		return
	}

	body, readError := io.ReadAll(forwardResponse.Body)
	if readError != nil {
		logMessage := fmt.Sprintf("Error reading body %s. Cause: %s", fa.address, readError)
		logger.Debug(logMessage)
		tracing.SetErrorWithEvent(req, logMessage)

		rw.WriteHeader(http.StatusInternalServerError)
		return
	}
	defer forwardResponse.Body.Close()

	// Pass the forward response's body and selected headers if it
	// didn't return a response within the range of [200, 300).
	if forwardResponse.StatusCode < http.StatusOK || forwardResponse.StatusCode >= http.StatusMultipleChoices {
		logger.Debugf("Remote error %s. StatusCode: %d", fa.address, forwardResponse.StatusCode)

		utils.CopyHeaders(rw.Header(), forwardResponse.Header)
		utils.RemoveHeaders(rw.Header(), hopHeaders...)

		// Grab the location header, if any.
		redirectURL, err := forwardResponse.Location()

		if err != nil {
			if !errors.Is(err, http.ErrNoLocation) {
				logMessage := fmt.Sprintf("Error reading response location header %s. Cause: %s", fa.address, err)
				logger.Debug(logMessage)
				tracing.SetErrorWithEvent(req, logMessage)

				rw.WriteHeader(http.StatusInternalServerError)
				return
			}
		} else if redirectURL.String() != "" {
			// Set the location in our response if one was sent back.
			rw.Header().Set("Location", redirectURL.String())
		}

		tracing.LogResponseCode(tracing.GetSpan(req), forwardResponse.StatusCode)
		rw.WriteHeader(forwardResponse.StatusCode)

		if _, err = rw.Write(body); err != nil {
			logger.Error(err)
		}
		return
	}

	for _, headerName := range fa.authResponseHeaders {
		headerKey := http.CanonicalHeaderKey(headerName)
		req.Header.Del(headerKey)
		if len(forwardResponse.Header[headerKey]) > 0 {
			req.Header[headerKey] = append([]string(nil), forwardResponse.Header[headerKey]...)
		}
	}

	if fa.authResponseHeadersRegex != nil {
		for headerKey := range req.Header {
			if fa.authResponseHeadersRegex.MatchString(headerKey) {
				req.Header.Del(headerKey)
			}
		}

		for headerKey, headerValues := range forwardResponse.Header {
			if fa.authResponseHeadersRegex.MatchString(headerKey) {
				req.Header[headerKey] = append([]string(nil), headerValues...)
			}
		}
	}

	req.RequestURI = req.URL.RequestURI()
	fa.next.ServeHTTP(rw, req)
}

func writeHeader(req, forwardReq *http.Request, trustForwardHeader bool, allowedHeaders []string) {
	utils.CopyHeaders(forwardReq.Header, req.Header)
	utils.RemoveHeaders(forwardReq.Header, hopHeaders...)

	forwardReq.Header = filterForwardRequestHeaders(forwardReq.Header, allowedHeaders)

	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
		if trustForwardHeader {
			if prior, ok := req.Header[forward.XForwardedFor]; ok {
				clientIP = strings.Join(prior, ", ") + ", " + clientIP
			}
		}
		forwardReq.Header.Set(forward.XForwardedFor, clientIP)
	}

	xMethod := req.Header.Get(xForwardedMethod)
	switch {
	case xMethod != "" && trustForwardHeader:
		forwardReq.Header.Set(xForwardedMethod, xMethod)
	case req.Method != "":
		forwardReq.Header.Set(xForwardedMethod, req.Method)
	default:
		forwardReq.Header.Del(xForwardedMethod)
	}

	xfp := req.Header.Get(forward.XForwardedProto)
	switch {
	case xfp != "" && trustForwardHeader:
		forwardReq.Header.Set(forward.XForwardedProto, xfp)
	case req.TLS != nil:
		forwardReq.Header.Set(forward.XForwardedProto, "https")
	default:
		forwardReq.Header.Set(forward.XForwardedProto, "http")
	}

	if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {
		forwardReq.Header.Set(forward.XForwardedPort, xfp)
	}

	xfh := req.Header.Get(forward.XForwardedHost)
	switch {
	case xfh != "" && trustForwardHeader:
		forwardReq.Header.Set(forward.XForwardedHost, xfh)
	case req.Host != "":
		forwardReq.Header.Set(forward.XForwardedHost, req.Host)
	default:
		forwardReq.Header.Del(forward.XForwardedHost)
	}

	xfURI := req.Header.Get(xForwardedURI)
	switch {
	case xfURI != "" && trustForwardHeader:
		forwardReq.Header.Set(xForwardedURI, xfURI)
	case req.URL.RequestURI() != "":
		forwardReq.Header.Set(xForwardedURI, req.URL.RequestURI())
	default:
		forwardReq.Header.Del(xForwardedURI)
	}
}

func filterForwardRequestHeaders(forwardRequestHeaders http.Header, allowedHeaders []string) http.Header {
	if len(allowedHeaders) == 0 {
		return forwardRequestHeaders
	}

	filteredHeaders := http.Header{}
	for _, headerName := range allowedHeaders {
		values := forwardRequestHeaders.Values(headerName)
		if len(values) > 0 {
			filteredHeaders[http.CanonicalHeaderKey(headerName)] = append([]string(nil), values...)
		}
	}

	return filteredHeaders
}
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`package auth`

			`import (`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`"context"`
chore: update linter. 2020-11-06 08:26:03 +00:00			`"errors"`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`"fmt"`
Update to go1.16 2021-03-04 19:08:03 +00:00			`"io"`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`"net"`
			`"net/http"`
Middlewares: add forwardAuth.authResponseHeadersRegex 2020-10-29 14:10:04 +00:00			`"regexp"`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`"strings"`
don't create http client for each request in forwardAuth middleware 2020-02-03 17:44:04 +00:00			`"time"`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`"github.com/opentracing/opentracing-go/ext"`
chore: move to Traefik organization. Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2020-09-16 13:46:04 +00:00			`"github.com/traefik/traefik/v2/pkg/config/dynamic"`
			`"github.com/traefik/traefik/v2/pkg/log"`
			`"github.com/traefik/traefik/v2/pkg/middlewares"`
fix: remove hop-by-hop headers define in connection header beore some middleware Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> 2021-07-30 10:20:07 +00:00			`"github.com/traefik/traefik/v2/pkg/middlewares/connectionheader"`
chore: move to Traefik organization. Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2020-09-16 13:46:04 +00:00			`"github.com/traefik/traefik/v2/pkg/tracing"`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`"github.com/vulcand/oxy/forward"`
			`"github.com/vulcand/oxy/utils"`
			`)`

Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`const (`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`xForwardedURI = "X-Forwarded-Uri"`
			`xForwardedMethod = "X-Forwarded-Method"`
			`forwardedTypeName = "ForwardedAuthType"`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`)`

Forward Proxy-Authorization header to authentication server 2021-01-21 17:34:04 +00:00			`// hopHeaders Hop-by-hop headers to be removed in the authentication request.`
			`// http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html`
			`// Proxy-Authorization header is forwarded to the authentication server (see https://tools.ietf.org/html/rfc7235#section-4.4).`
			`var hopHeaders = []string{`
			`forward.Connection,`
			`forward.KeepAlive,`
			`forward.Te, // canonicalized version of "TE"`
			`forward.Trailers,`
			`forward.TransferEncoding,`
			`forward.Upgrade,`
			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`type forwardAuth struct {`
Middlewares: add forwardAuth.authResponseHeadersRegex 2020-10-29 14:10:04 +00:00			`address string`
			`authResponseHeaders []string`
			`authResponseHeadersRegex *regexp.Regexp`
			`next http.Handler`
			`name string`
			`client http.Client`
			`trustForwardHeader bool`
			`authRequestHeaders []string`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`}`

			`// NewForward creates a forward auth middleware.`
Move dynamic config into a dedicated package. 2019-07-10 07:26:04 +00:00			`func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAuth, name string) (http.Handler, error) {`
fix: logger and context. 2019-09-13 17:28:04 +00:00			`log.FromContext(middlewares.GetLoggerCtx(ctx, name, forwardedTypeName)).Debug("Creating middleware")`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00
			`fa := &forwardAuth{`
			`address: config.Address,`
			`authResponseHeaders: config.AuthResponseHeaders,`
			`next: next,`
			`name: name,`
			`trustForwardHeader: config.TrustForwardHeader,`
Filter ForwardAuth request headers 2020-10-07 14:36:04 +00:00			`authRequestHeaders: config.AuthRequestHeaders,`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`}`
Forward auth: copy response headers when auth failed. 2018-04-23 13:28:04 +00:00
don't create http client for each request in forwardAuth middleware 2020-02-03 17:44:04 +00:00			`// Ensure our request client does not follow redirects`
			`fa.client = http.Client{`
			`CheckRedirect: func(r http.Request, via []http.Request) error {`
			`return http.ErrUseLastResponse`
			`},`
			`Timeout: 30 * time.Second,`
			`}`

Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if config.TLS != nil {`
			`tlsConfig, err := config.TLS.CreateTLSConfig()`
			`if err != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`return nil, err`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`
Forward auth: copy response headers when auth failed. 2018-04-23 13:28:04 +00:00
don't create http client for each request in forwardAuth middleware 2020-02-03 17:44:04 +00:00			`tr := http.DefaultTransport.(*http.Transport).Clone()`
			`tr.TLSClientConfig = tlsConfig`
			`fa.client.Transport = tr`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`}`

Middlewares: add forwardAuth.authResponseHeadersRegex 2020-10-29 14:10:04 +00:00			`if config.AuthResponseHeadersRegex != "" {`
			`re, err := regexp.Compile(config.AuthResponseHeadersRegex)`
			`if err != nil {`
			`return nil, fmt.Errorf("error compiling regular expression %s: %w", config.AuthResponseHeadersRegex, err)`
			`}`
			`fa.authResponseHeadersRegex = re`
			`}`

fix: remove hop-by-hop headers define in connection header beore some middleware Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> 2021-07-30 10:20:07 +00:00			`return connectionheader.Remover(fa), nil`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`}`

			`func (fa *forwardAuth) GetTracingInformation() (string, ext.SpanKindEnum) {`
			`return fa.name, ext.SpanKindRPCClientEnum`
			`}`

			`func (fa forwardAuth) ServeHTTP(rw http.ResponseWriter, req http.Request) {`
fix: logger and context. 2019-09-13 17:28:04 +00:00			`logger := log.FromContext(middlewares.GetLoggerCtx(req.Context(), fa.name, forwardedTypeName))`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00
			`forwardReq, err := http.NewRequest(http.MethodGet, fa.address, nil)`
			`tracing.LogRequest(tracing.GetSpan(req), forwardReq)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if err != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error calling %s. Cause %s", fa.address, err)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`

fix(tracing): makes sure tracing headers are being propagated when using forwardAuth 2020-01-07 14:48:07 +00:00			`// Ensure tracing headers are in the request before we copy the headers to the`
			`// forwardReq.`
			`tracing.InjectRequestHeaders(req)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00
Filter ForwardAuth request headers 2020-10-07 14:36:04 +00:00			`writeHeader(req, forwardReq, fa.trustForwardHeader, fa.authRequestHeaders)`
Opentracing support 2018-01-10 16:48:04 +00:00
don't create http client for each request in forwardAuth middleware 2020-02-03 17:44:04 +00:00			`forwardResponse, forwardErr := fa.client.Do(forwardReq)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if forwardErr != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error calling %s. Cause: %s", fa.address, forwardErr)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`

Update to go1.16 2021-03-04 19:08:03 +00:00			`body, readError := io.ReadAll(forwardResponse.Body)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if readError != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error reading body %s. Cause: %s", fa.address, readError)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`
			`defer forwardResponse.Body.Close()`

Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`// Pass the forward response's body and selected headers if it`
			`// didn't return a response within the range of [200, 300).`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if forwardResponse.StatusCode < http.StatusOK \|\| forwardResponse.StatusCode >= http.StatusMultipleChoices {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logger.Debugf("Remote error %s. StatusCode: %d", fa.address, forwardResponse.StatusCode)`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`utils.CopyHeaders(rw.Header(), forwardResponse.Header)`
Forward Proxy-Authorization header to authentication server 2021-01-21 17:34:04 +00:00			`utils.RemoveHeaders(rw.Header(), hopHeaders...)`
Forward auth: copy response headers when auth failed. 2018-04-23 13:28:04 +00:00
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`// Grab the location header, if any.`
			`redirectURL, err := forwardResponse.Location()`

			`if err != nil {`
chore: update linter. 2020-11-06 08:26:03 +00:00			`if !errors.Is(err, http.ErrNoLocation) {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error reading response location header %s. Cause: %s", fa.address, err)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`return`
			`}`
			`} else if redirectURL.String() != "" {`
			`// Set the location in our response if one was sent back.`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`rw.Header().Set("Location", redirectURL.String())`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`tracing.LogResponseCode(tracing.GetSpan(req), forwardResponse.StatusCode)`
			`rw.WriteHeader(forwardResponse.StatusCode)`
Small code enhancements 2018-08-06 18:00:03 +00:00
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`if _, err = rw.Write(body); err != nil {`
			`logger.Error(err)`
Small code enhancements 2018-08-06 18:00:03 +00:00			`}`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`for _, headerName := range fa.authResponseHeaders {`
Forward all header values from forward auth response 2019-04-10 15:18:06 +00:00			`headerKey := http.CanonicalHeaderKey(headerName)`
			`req.Header.Del(headerKey)`
			`if len(forwardResponse.Header[headerKey]) > 0 {`
			`req.Header[headerKey] = append([]string(nil), forwardResponse.Header[headerKey]...)`
			`}`
Forward auth headers 2018-06-30 05:54:03 +00:00			`}`

Middlewares: add forwardAuth.authResponseHeadersRegex 2020-10-29 14:10:04 +00:00			`if fa.authResponseHeadersRegex != nil {`
			`for headerKey := range req.Header {`
			`if fa.authResponseHeadersRegex.MatchString(headerKey) {`
			`req.Header.Del(headerKey)`
			`}`
			`}`

			`for headerKey, headerValues := range forwardResponse.Header {`
			`if fa.authResponseHeadersRegex.MatchString(headerKey) {`
			`req.Header[headerKey] = append([]string(nil), headerValues...)`
			`}`
			`}`
			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`req.RequestURI = req.URL.RequestURI()`
			`fa.next.ServeHTTP(rw, req)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`

Filter ForwardAuth request headers 2020-10-07 14:36:04 +00:00			`func writeHeader(req, forwardReq *http.Request, trustForwardHeader bool, allowedHeaders []string) {`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`utils.CopyHeaders(forwardReq.Header, req.Header)`
Forward Proxy-Authorization header to authentication server 2021-01-21 17:34:04 +00:00			`utils.RemoveHeaders(forwardReq.Header, hopHeaders...)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00
Filter ForwardAuth request headers 2020-10-07 14:36:04 +00:00			`forwardReq.Header = filterForwardRequestHeaders(forwardReq.Header, allowedHeaders)`

Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {`
			`if trustForwardHeader {`
			`if prior, ok := req.Header[forward.XForwardedFor]; ok {`
			`clientIP = strings.Join(prior, ", ") + ", " + clientIP`
			`}`
			`}`
			`forwardReq.Header.Set(forward.XForwardedFor, clientIP)`
			`}`

refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xMethod := req.Header.Get(xForwardedMethod)`
			`switch {`
			`case xMethod != "" && trustForwardHeader:`
Add xforwarded method 2018-06-13 13:14:03 +00:00			`forwardReq.Header.Set(xForwardedMethod, xMethod)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.Method != "":`
Add xforwarded method 2018-06-13 13:14:03 +00:00			`forwardReq.Header.Set(xForwardedMethod, req.Method)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Add xforwarded method 2018-06-13 13:14:03 +00:00			`forwardReq.Header.Del(xForwardedMethod)`
			`}`

refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xfp := req.Header.Get(forward.XForwardedProto)`
			`switch {`
			`case xfp != "" && trustForwardHeader:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedProto, xfp)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.TLS != nil:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedProto, "https")`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedProto, "http")`
			`}`

			`if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {`
			`forwardReq.Header.Set(forward.XForwardedPort, xfp)`
			`}`

refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xfh := req.Header.Get(forward.XForwardedHost)`
			`switch {`
			`case xfh != "" && trustForwardHeader:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedHost, xfh)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.Host != "":`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedHost, req.Host)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Del(forward.XForwardedHost)`
			`}`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xfURI := req.Header.Get(xForwardedURI)`
			`switch {`
			`case xfURI != "" && trustForwardHeader:`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`forwardReq.Header.Set(xForwardedURI, xfURI)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.URL.RequestURI() != "":`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`forwardReq.Header.Set(xForwardedURI, req.URL.RequestURI())`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`forwardReq.Header.Del(xForwardedURI)`
			`}`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`
Filter ForwardAuth request headers 2020-10-07 14:36:04 +00:00
			`func filterForwardRequestHeaders(forwardRequestHeaders http.Header, allowedHeaders []string) http.Header {`
			`if len(allowedHeaders) == 0 {`
			`return forwardRequestHeaders`
			`}`

			`filteredHeaders := http.Header{}`
			`for _, headerName := range allowedHeaders {`
			`values := forwardRequestHeaders.Values(headerName)`
			`if len(values) > 0 {`
			`filteredHeaders[http.CanonicalHeaderKey(headerName)] = append([]string(nil), values...)`
			`}`
			`}`

			`return filteredHeaders`
			`}`