traefik/pkg/middlewares/auth/forward.go

218 lines
6.2 KiB
Go
Raw Normal View History

package auth
import (
2018-11-14 09:18:03 +00:00
"context"
"crypto/tls"
"fmt"
"io/ioutil"
"net"
"net/http"
"strings"
"github.com/containous/traefik/pkg/config/dynamic"
2019-03-15 08:42:03 +00:00
"github.com/containous/traefik/pkg/middlewares"
"github.com/containous/traefik/pkg/tracing"
2018-11-14 09:18:03 +00:00
"github.com/opentracing/opentracing-go/ext"
"github.com/vulcand/oxy/forward"
"github.com/vulcand/oxy/utils"
)
const (
2018-11-14 09:18:03 +00:00
xForwardedURI = "X-Forwarded-Uri"
xForwardedMethod = "X-Forwarded-Method"
forwardedTypeName = "ForwardedAuthType"
)
2018-11-14 09:18:03 +00:00
type forwardAuth struct {
address string
authResponseHeaders []string
next http.Handler
name string
tlsConfig *tls.Config
trustForwardHeader bool
}
// NewForward creates a forward auth middleware.
func NewForward(ctx context.Context, next http.Handler, config dynamic.ForwardAuth, name string) (http.Handler, error) {
2018-11-14 09:18:03 +00:00
middlewares.GetLogger(ctx, name, forwardedTypeName).Debug("Creating middleware")
fa := &forwardAuth{
address: config.Address,
authResponseHeaders: config.AuthResponseHeaders,
next: next,
name: name,
trustForwardHeader: config.TrustForwardHeader,
}
if config.TLS != nil {
tlsConfig, err := config.TLS.CreateTLSConfig()
if err != nil {
2018-11-14 09:18:03 +00:00
return nil, err
}
2018-11-14 09:18:03 +00:00
fa.tlsConfig = tlsConfig
}
return fa, nil
}
func (fa *forwardAuth) GetTracingInformation() (string, ext.SpanKindEnum) {
return fa.name, ext.SpanKindRPCClientEnum
}
func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
logger := middlewares.GetLogger(req.Context(), fa.name, forwardedTypeName)
// Ensure our request client does not follow redirects
httpClient := http.Client{
CheckRedirect: func(r *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
if fa.tlsConfig != nil {
httpClient.Transport = &http.Transport{
2018-11-14 09:18:03 +00:00
TLSClientConfig: fa.tlsConfig,
}
}
2018-11-14 09:18:03 +00:00
forwardReq, err := http.NewRequest(http.MethodGet, fa.address, nil)
tracing.LogRequest(tracing.GetSpan(req), forwardReq)
if err != nil {
2018-11-14 09:18:03 +00:00
logMessage := fmt.Sprintf("Error calling %s. Cause %s", fa.address, err)
logger.Debug(logMessage)
tracing.SetErrorWithEvent(req, logMessage)
rw.WriteHeader(http.StatusInternalServerError)
return
}
2018-11-14 09:18:03 +00:00
writeHeader(req, forwardReq, fa.trustForwardHeader)
2018-01-10 16:48:04 +00:00
tracing.InjectRequestHeaders(forwardReq)
forwardResponse, forwardErr := httpClient.Do(forwardReq)
if forwardErr != nil {
2018-11-14 09:18:03 +00:00
logMessage := fmt.Sprintf("Error calling %s. Cause: %s", fa.address, forwardErr)
logger.Debug(logMessage)
tracing.SetErrorWithEvent(req, logMessage)
rw.WriteHeader(http.StatusInternalServerError)
return
}
body, readError := ioutil.ReadAll(forwardResponse.Body)
if readError != nil {
2018-11-14 09:18:03 +00:00
logMessage := fmt.Sprintf("Error reading body %s. Cause: %s", fa.address, readError)
logger.Debug(logMessage)
tracing.SetErrorWithEvent(req, logMessage)
rw.WriteHeader(http.StatusInternalServerError)
return
}
defer forwardResponse.Body.Close()
// Pass the forward response's body and selected headers if it
// didn't return a response within the range of [200, 300).
if forwardResponse.StatusCode < http.StatusOK || forwardResponse.StatusCode >= http.StatusMultipleChoices {
2018-11-14 09:18:03 +00:00
logger.Debugf("Remote error %s. StatusCode: %d", fa.address, forwardResponse.StatusCode)
2018-11-14 09:18:03 +00:00
utils.CopyHeaders(rw.Header(), forwardResponse.Header)
utils.RemoveHeaders(rw.Header(), forward.HopHeaders...)
// Grab the location header, if any.
redirectURL, err := forwardResponse.Location()
if err != nil {
if err != http.ErrNoLocation {
2018-11-14 09:18:03 +00:00
logMessage := fmt.Sprintf("Error reading response location header %s. Cause: %s", fa.address, err)
logger.Debug(logMessage)
tracing.SetErrorWithEvent(req, logMessage)
rw.WriteHeader(http.StatusInternalServerError)
return
}
} else if redirectURL.String() != "" {
// Set the location in our response if one was sent back.
2018-11-14 09:18:03 +00:00
rw.Header().Set("Location", redirectURL.String())
}
2018-11-14 09:18:03 +00:00
tracing.LogResponseCode(tracing.GetSpan(req), forwardResponse.StatusCode)
rw.WriteHeader(forwardResponse.StatusCode)
2018-08-06 18:00:03 +00:00
2018-11-14 09:18:03 +00:00
if _, err = rw.Write(body); err != nil {
logger.Error(err)
2018-08-06 18:00:03 +00:00
}
return
}
2018-11-14 09:18:03 +00:00
for _, headerName := range fa.authResponseHeaders {
headerKey := http.CanonicalHeaderKey(headerName)
req.Header.Del(headerKey)
if len(forwardResponse.Header[headerKey]) > 0 {
req.Header[headerKey] = append([]string(nil), forwardResponse.Header[headerKey]...)
}
2018-06-30 05:54:03 +00:00
}
2018-11-14 09:18:03 +00:00
req.RequestURI = req.URL.RequestURI()
fa.next.ServeHTTP(rw, req)
}
func writeHeader(req *http.Request, forwardReq *http.Request, trustForwardHeader bool) {
utils.CopyHeaders(forwardReq.Header, req.Header)
2018-09-25 13:06:03 +00:00
utils.RemoveHeaders(forwardReq.Header, forward.HopHeaders...)
if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
if trustForwardHeader {
if prior, ok := req.Header[forward.XForwardedFor]; ok {
clientIP = strings.Join(prior, ", ") + ", " + clientIP
}
}
forwardReq.Header.Set(forward.XForwardedFor, clientIP)
}
2019-02-05 16:10:03 +00:00
xMethod := req.Header.Get(xForwardedMethod)
switch {
case xMethod != "" && trustForwardHeader:
2018-06-13 13:14:03 +00:00
forwardReq.Header.Set(xForwardedMethod, xMethod)
2019-02-05 16:10:03 +00:00
case req.Method != "":
2018-06-13 13:14:03 +00:00
forwardReq.Header.Set(xForwardedMethod, req.Method)
2019-02-05 16:10:03 +00:00
default:
2018-06-13 13:14:03 +00:00
forwardReq.Header.Del(xForwardedMethod)
}
2019-02-05 16:10:03 +00:00
xfp := req.Header.Get(forward.XForwardedProto)
switch {
case xfp != "" && trustForwardHeader:
forwardReq.Header.Set(forward.XForwardedProto, xfp)
2019-02-05 16:10:03 +00:00
case req.TLS != nil:
forwardReq.Header.Set(forward.XForwardedProto, "https")
2019-02-05 16:10:03 +00:00
default:
forwardReq.Header.Set(forward.XForwardedProto, "http")
}
if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {
forwardReq.Header.Set(forward.XForwardedPort, xfp)
}
2019-02-05 16:10:03 +00:00
xfh := req.Header.Get(forward.XForwardedHost)
switch {
case xfh != "" && trustForwardHeader:
forwardReq.Header.Set(forward.XForwardedHost, xfh)
2019-02-05 16:10:03 +00:00
case req.Host != "":
forwardReq.Header.Set(forward.XForwardedHost, req.Host)
2019-02-05 16:10:03 +00:00
default:
forwardReq.Header.Del(forward.XForwardedHost)
}
2019-02-05 16:10:03 +00:00
xfURI := req.Header.Get(xForwardedURI)
switch {
case xfURI != "" && trustForwardHeader:
forwardReq.Header.Set(xForwardedURI, xfURI)
2019-02-05 16:10:03 +00:00
case req.URL.RequestURI() != "":
forwardReq.Header.Set(xForwardedURI, req.URL.RequestURI())
2019-02-05 16:10:03 +00:00
default:
forwardReq.Header.Del(xForwardedURI)
}
}