traefik/middlewares/auth/forward.go

package auth

import (
	"io/ioutil"
	"net"
	"net/http"
	"strings"

	"github.com/containous/traefik/log"
	"github.com/containous/traefik/middlewares/tracing"
	"github.com/containous/traefik/types"
	"github.com/vulcand/oxy/forward"
	"github.com/vulcand/oxy/utils"
)

const (
	xForwardedURI = "X-Forwarded-Uri"
)

// Forward the authentication to a external server
func Forward(config *types.Forward, w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	// Ensure our request client does not follow redirects
	httpClient := http.Client{
		CheckRedirect: func(r *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
	}
	if config.TLS != nil {
		tlsConfig, err := config.TLS.CreateTLSConfig()
		if err != nil {
			tracing.SetErrorAndDebugLog(r, "Unable to configure TLS to call %s. Cause %s", config.Address, err)
			w.WriteHeader(http.StatusInternalServerError)
			return
		}
		httpClient.Transport = &http.Transport{
			TLSClientConfig: tlsConfig,
		}
	}
	forwardReq, err := http.NewRequest(http.MethodGet, config.Address, nil)
	tracing.LogRequest(tracing.GetSpan(r), forwardReq)
	if err != nil {
		tracing.SetErrorAndDebugLog(r, "Error calling %s. Cause %s", config.Address, err)
		w.WriteHeader(http.StatusInternalServerError)
		return
	}

	writeHeader(r, forwardReq, config.TrustForwardHeader)

	tracing.InjectRequestHeaders(forwardReq)

	forwardResponse, forwardErr := httpClient.Do(forwardReq)
	if forwardErr != nil {
		tracing.SetErrorAndDebugLog(r, "Error calling %s. Cause: %s", config.Address, forwardErr)
		w.WriteHeader(http.StatusInternalServerError)
		return
	}

	body, readError := ioutil.ReadAll(forwardResponse.Body)
	if readError != nil {
		tracing.SetErrorAndDebugLog(r, "Error reading body %s. Cause: %s", config.Address, readError)
		w.WriteHeader(http.StatusInternalServerError)
		return
	}
	defer forwardResponse.Body.Close()

	// Pass the forward response's body and selected headers if it
	// didn't return a response within the range of [200, 300).
	if forwardResponse.StatusCode < http.StatusOK || forwardResponse.StatusCode >= http.StatusMultipleChoices {
		log.Debugf("Remote error %s. StatusCode: %d", config.Address, forwardResponse.StatusCode)

		// Grab the location header, if any.
		redirectURL, err := forwardResponse.Location()

		if err != nil {
			if err != http.ErrNoLocation {
				tracing.SetErrorAndDebugLog(r, "Error reading response location header %s. Cause: %s", config.Address, err)
				w.WriteHeader(http.StatusInternalServerError)
				return
			}
		} else if redirectURL.String() != "" {
			// Set the location in our response if one was sent back.
			w.Header().Add("Location", redirectURL.String())
		}

		// Pass any Set-Cookie headers the forward auth server provides
		for _, cookie := range forwardResponse.Cookies() {
			w.Header().Add("Set-Cookie", cookie.String())
		}

		tracing.LogResponseCode(tracing.GetSpan(r), forwardResponse.StatusCode)
		w.WriteHeader(forwardResponse.StatusCode)
		w.Write(body)
		return
	}

	r.RequestURI = r.URL.RequestURI()
	next(w, r)
}

func writeHeader(req *http.Request, forwardReq *http.Request, trustForwardHeader bool) {
	utils.CopyHeaders(forwardReq.Header, req.Header)

	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
		if trustForwardHeader {
			if prior, ok := req.Header[forward.XForwardedFor]; ok {
				clientIP = strings.Join(prior, ", ") + ", " + clientIP
			}
		}
		forwardReq.Header.Set(forward.XForwardedFor, clientIP)
	}

	if xfp := req.Header.Get(forward.XForwardedProto); xfp != "" && trustForwardHeader {
		forwardReq.Header.Set(forward.XForwardedProto, xfp)
	} else if req.TLS != nil {
		forwardReq.Header.Set(forward.XForwardedProto, "https")
	} else {
		forwardReq.Header.Set(forward.XForwardedProto, "http")
	}

	if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {
		forwardReq.Header.Set(forward.XForwardedPort, xfp)
	}

	if xfh := req.Header.Get(forward.XForwardedHost); xfh != "" && trustForwardHeader {
		forwardReq.Header.Set(forward.XForwardedHost, xfh)
	} else if req.Host != "" {
		forwardReq.Header.Set(forward.XForwardedHost, req.Host)
	} else {
		forwardReq.Header.Del(forward.XForwardedHost)
	}

	if xfURI := req.Header.Get(xForwardedURI); xfURI != "" && trustForwardHeader {
		forwardReq.Header.Set(xForwardedURI, xfURI)
	} else if req.URL.RequestURI() != "" {
		forwardReq.Header.Set(xForwardedURI, req.URL.RequestURI())
	} else {
		forwardReq.Header.Del(xForwardedURI)
	}
}
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`package auth`

			`import (`
			`"io/ioutil"`
			`"net"`
			`"net/http"`
			`"strings"`

			`"github.com/containous/traefik/log"`
Opentracing support 2018-01-10 16:48:04 +00:00			`"github.com/containous/traefik/middlewares/tracing"`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`"github.com/containous/traefik/types"`
			`"github.com/vulcand/oxy/forward"`
			`"github.com/vulcand/oxy/utils"`
			`)`

Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`const (`
			`xForwardedURI = "X-Forwarded-Uri"`
			`)`

Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`// Forward the authentication to a external server`
			`func Forward(config types.Forward, w http.ResponseWriter, r http.Request, next http.HandlerFunc) {`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`// Ensure our request client does not follow redirects`
			`httpClient := http.Client{`
			`CheckRedirect: func(r http.Request, via []http.Request) error {`
			`return http.ErrUseLastResponse`
			`},`
			`}`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if config.TLS != nil {`
			`tlsConfig, err := config.TLS.CreateTLSConfig()`
			`if err != nil {`
Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.SetErrorAndDebugLog(r, "Unable to configure TLS to call %s. Cause %s", config.Address, err)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`
			`httpClient.Transport = &http.Transport{`
			`TLSClientConfig: tlsConfig,`
			`}`
			`}`
			`forwardReq, err := http.NewRequest(http.MethodGet, config.Address, nil)`
Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.LogRequest(tracing.GetSpan(r), forwardReq)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if err != nil {`
Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.SetErrorAndDebugLog(r, "Error calling %s. Cause %s", config.Address, err)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`

			`writeHeader(r, forwardReq, config.TrustForwardHeader)`

Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.InjectRequestHeaders(forwardReq)`

Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardResponse, forwardErr := httpClient.Do(forwardReq)`
			`if forwardErr != nil {`
Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.SetErrorAndDebugLog(r, "Error calling %s. Cause: %s", config.Address, forwardErr)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`

			`body, readError := ioutil.ReadAll(forwardResponse.Body)`
			`if readError != nil {`
Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.SetErrorAndDebugLog(r, "Error reading body %s. Cause: %s", config.Address, readError)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`
			`defer forwardResponse.Body.Close()`

Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`// Pass the forward response's body and selected headers if it`
			`// didn't return a response within the range of [200, 300).`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if forwardResponse.StatusCode < http.StatusOK \|\| forwardResponse.StatusCode >= http.StatusMultipleChoices {`
			`log.Debugf("Remote error %s. StatusCode: %d", config.Address, forwardResponse.StatusCode)`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00
			`// Grab the location header, if any.`
			`redirectURL, err := forwardResponse.Location()`

			`if err != nil {`
			`if err != http.ErrNoLocation {`
Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.SetErrorAndDebugLog(r, "Error reading response location header %s. Cause: %s", config.Address, err)`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`
			`} else if redirectURL.String() != "" {`
			`// Set the location in our response if one was sent back.`
			`w.Header().Add("Location", redirectURL.String())`
			`}`

			`// Pass any Set-Cookie headers the forward auth server provides`
			`for _, cookie := range forwardResponse.Cookies() {`
			`w.Header().Add("Set-Cookie", cookie.String())`
			`}`

Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.LogResponseCode(tracing.GetSpan(r), forwardResponse.StatusCode)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`w.WriteHeader(forwardResponse.StatusCode)`
			`w.Write(body)`
			`return`
			`}`

			`r.RequestURI = r.URL.RequestURI()`
			`next(w, r)`
			`}`

			`func writeHeader(req http.Request, forwardReq http.Request, trustForwardHeader bool) {`
			`utils.CopyHeaders(forwardReq.Header, req.Header)`

			`if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {`
			`if trustForwardHeader {`
			`if prior, ok := req.Header[forward.XForwardedFor]; ok {`
			`clientIP = strings.Join(prior, ", ") + ", " + clientIP`
			`}`
			`}`
			`forwardReq.Header.Set(forward.XForwardedFor, clientIP)`
			`}`

			`if xfp := req.Header.Get(forward.XForwardedProto); xfp != "" && trustForwardHeader {`
			`forwardReq.Header.Set(forward.XForwardedProto, xfp)`
			`} else if req.TLS != nil {`
			`forwardReq.Header.Set(forward.XForwardedProto, "https")`
			`} else {`
			`forwardReq.Header.Set(forward.XForwardedProto, "http")`
			`}`

			`if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {`
			`forwardReq.Header.Set(forward.XForwardedPort, xfp)`
			`}`

			`if xfh := req.Header.Get(forward.XForwardedHost); xfh != "" && trustForwardHeader {`
			`forwardReq.Header.Set(forward.XForwardedHost, xfh)`
			`} else if req.Host != "" {`
			`forwardReq.Header.Set(forward.XForwardedHost, req.Host)`
			`} else {`
			`forwardReq.Header.Del(forward.XForwardedHost)`
			`}`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00
			`if xfURI := req.Header.Get(xForwardedURI); xfURI != "" && trustForwardHeader {`
			`forwardReq.Header.Set(xForwardedURI, xfURI)`
			`} else if req.URL.RequestURI() != "" {`
			`forwardReq.Header.Set(xForwardedURI, req.URL.RequestURI())`
			`} else {`
			`forwardReq.Header.Del(xForwardedURI)`
			`}`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`