192 lines
5.3 KiB
Go
192 lines
5.3 KiB
Go
package headers
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"regexp"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/traefik/traefik/v3/pkg/config/dynamic"
|
|
"github.com/traefik/traefik/v3/pkg/middlewares"
|
|
"github.com/vulcand/oxy/v2/forward"
|
|
)
|
|
|
|
// Header is a middleware that helps setup a few basic security features.
|
|
// A single headerOptions struct can be provided to configure which features should be enabled,
|
|
// and the ability to override a few of the default values.
|
|
type Header struct {
|
|
next http.Handler
|
|
hasCustomHeaders bool
|
|
hasCorsHeaders bool
|
|
headers *dynamic.Headers
|
|
allowOriginRegexes []*regexp.Regexp
|
|
}
|
|
|
|
// NewHeader constructs a new header instance from supplied frontend header struct.
|
|
func NewHeader(next http.Handler, cfg dynamic.Headers) (*Header, error) {
|
|
hasCustomHeaders := cfg.HasCustomHeadersDefined()
|
|
hasCorsHeaders := cfg.HasCorsHeadersDefined()
|
|
|
|
regexes := make([]*regexp.Regexp, len(cfg.AccessControlAllowOriginListRegex))
|
|
for i, str := range cfg.AccessControlAllowOriginListRegex {
|
|
reg, err := regexp.Compile(str)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error occurred during origin parsing: %w", err)
|
|
}
|
|
regexes[i] = reg
|
|
}
|
|
|
|
return &Header{
|
|
next: next,
|
|
headers: &cfg,
|
|
hasCustomHeaders: hasCustomHeaders,
|
|
hasCorsHeaders: hasCorsHeaders,
|
|
allowOriginRegexes: regexes,
|
|
}, nil
|
|
}
|
|
|
|
func (s *Header) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
|
// Handle Cors headers and preflight if configured.
|
|
if isPreflight := s.processCorsHeaders(rw, req); isPreflight {
|
|
rw.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
|
|
if s.hasCustomHeaders {
|
|
s.modifyCustomRequestHeaders(req)
|
|
}
|
|
|
|
// If there is a next, call it.
|
|
if s.next != nil {
|
|
s.next.ServeHTTP(middlewares.NewResponseModifier(rw, req, s.PostRequestModifyResponseHeaders), req)
|
|
}
|
|
}
|
|
|
|
// modifyCustomRequestHeaders sets or deletes custom request headers.
|
|
func (s *Header) modifyCustomRequestHeaders(req *http.Request) {
|
|
// Loop through Custom request headers
|
|
for header, value := range s.headers.CustomRequestHeaders {
|
|
switch {
|
|
// Handling https://github.com/golang/go/commit/ecdbffd4ec68b509998792f120868fec319de59b.
|
|
case value == "" && header == forward.XForwardedFor:
|
|
req.Header[header] = nil
|
|
|
|
case value == "":
|
|
req.Header.Del(header)
|
|
|
|
case strings.EqualFold(header, "Host"):
|
|
req.Host = value
|
|
|
|
default:
|
|
req.Header.Set(header, value)
|
|
}
|
|
}
|
|
}
|
|
|
|
// PostRequestModifyResponseHeaders set or delete response headers.
|
|
// This method is called AFTER the response is generated from the backend
|
|
// and can merge/override headers from the backend response.
|
|
func (s *Header) PostRequestModifyResponseHeaders(res *http.Response) error {
|
|
// Loop through Custom response headers
|
|
for header, value := range s.headers.CustomResponseHeaders {
|
|
if value == "" {
|
|
res.Header.Del(header)
|
|
} else {
|
|
res.Header.Set(header, value)
|
|
}
|
|
}
|
|
|
|
if res != nil && res.Request != nil {
|
|
originHeader := res.Request.Header.Get("Origin")
|
|
allowed, match := s.isOriginAllowed(originHeader)
|
|
|
|
if allowed {
|
|
res.Header.Set("Access-Control-Allow-Origin", match)
|
|
}
|
|
}
|
|
|
|
if s.headers.AccessControlAllowCredentials {
|
|
res.Header.Set("Access-Control-Allow-Credentials", "true")
|
|
}
|
|
|
|
if len(s.headers.AccessControlExposeHeaders) > 0 {
|
|
exposeHeaders := strings.Join(s.headers.AccessControlExposeHeaders, ",")
|
|
res.Header.Set("Access-Control-Expose-Headers", exposeHeaders)
|
|
}
|
|
|
|
if !s.headers.AddVaryHeader {
|
|
return nil
|
|
}
|
|
|
|
varyHeader := res.Header.Get("Vary")
|
|
if varyHeader == "Origin" {
|
|
return nil
|
|
}
|
|
|
|
if varyHeader != "" {
|
|
varyHeader += ","
|
|
}
|
|
varyHeader += "Origin"
|
|
|
|
res.Header.Set("Vary", varyHeader)
|
|
return nil
|
|
}
|
|
|
|
// processCorsHeaders processes the incoming request,
|
|
// and returns if it is a preflight request.
|
|
// If not a preflight, it handles the preRequestModifyCorsResponseHeaders.
|
|
func (s *Header) processCorsHeaders(rw http.ResponseWriter, req *http.Request) bool {
|
|
if !s.hasCorsHeaders {
|
|
return false
|
|
}
|
|
|
|
reqAcMethod := req.Header.Get("Access-Control-Request-Method")
|
|
originHeader := req.Header.Get("Origin")
|
|
|
|
if reqAcMethod != "" && originHeader != "" && req.Method == http.MethodOptions {
|
|
// If the request is an OPTIONS request with an Access-Control-Request-Method header,
|
|
// and Origin headers, then it is a CORS preflight request,
|
|
// and we need to build a custom response: https://www.w3.org/TR/cors/#preflight-request
|
|
if s.headers.AccessControlAllowCredentials {
|
|
rw.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
}
|
|
|
|
allowHeaders := strings.Join(s.headers.AccessControlAllowHeaders, ",")
|
|
if allowHeaders != "" {
|
|
rw.Header().Set("Access-Control-Allow-Headers", allowHeaders)
|
|
}
|
|
|
|
allowMethods := strings.Join(s.headers.AccessControlAllowMethods, ",")
|
|
if allowMethods != "" {
|
|
rw.Header().Set("Access-Control-Allow-Methods", allowMethods)
|
|
}
|
|
|
|
allowed, match := s.isOriginAllowed(originHeader)
|
|
if allowed {
|
|
rw.Header().Set("Access-Control-Allow-Origin", match)
|
|
}
|
|
|
|
rw.Header().Set("Access-Control-Max-Age", strconv.Itoa(int(s.headers.AccessControlMaxAge)))
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (s *Header) isOriginAllowed(origin string) (bool, string) {
|
|
for _, item := range s.headers.AccessControlAllowOriginList {
|
|
if item == "*" || item == origin {
|
|
return true, item
|
|
}
|
|
}
|
|
|
|
for _, regex := range s.allowOriginRegexes {
|
|
if regex.MatchString(origin) {
|
|
return true, origin
|
|
}
|
|
}
|
|
|
|
return false, ""
|
|
}
|