-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sso-proxy: add preserve host configuration option #55
Conversation
7a4bd0f
to
f362a2e
Compare
Ready for review. |
40c5338
to
2f0eb24
Compare
I think this could be a table-driven test as well, but would need to edit existing tests rather than creating new ones I think. |
2f0eb24
to
b262bfe
Compare
internal/proxy/oauthproxy_test.go
Outdated
@@ -263,6 +263,129 @@ func TestNewReverseProxyTLSSkipVerify(t *testing.T) { | |||
} | |||
} | |||
|
|||
func TestNewReverseProxyPreserveHost(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we make these table drive tests as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost done w/ these and so far confirmed that replacing a bunch of test functions w/ two bigger table-driven test functions hasn't altered code coverage.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
internal/proxy/proxy_config.go
Outdated
@@ -81,6 +82,7 @@ type OptionsConfig struct { | |||
SkipAuthRegex []string `yaml:"skip_auth_regex"` | |||
AllowedGroups []string `yaml:"allowed_groups"` | |||
TLSSkipVerify bool `yaml:"tls_skip_verify"` | |||
PreserveHost bool `yaml:"preserve_host"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be good to add a config unit test as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
👋 hi @sporkmonger! I'll be helping you get this PR merged! Looks like there are some lingering comments from @shrayolacrayon -- is there anything from us you need to get those resolved? |
Hey, sorry about the delay, was heads-down on the Azure AD PR. I’ve got this on my plate next. |
e61ec54
to
98c64ce
Compare
This should be ready to review again. |
Having two is not a bug. HTTP header folding will change:
into:
It is up to client libraries to parse the Yes, why do you have to count the proxies you trust, well because the following:
And the application is configured to only support 3 proxies, then Please don't remove the multiple |
I'd advocate for using https://tools.ietf.org/html/rfc7239, which is actually specified, unlike |
internal/proxy/oauthproxy.go
Outdated
@@ -212,9 +214,13 @@ func NewRewriteReverseProxy(route *RewriteRoute, config *UpstreamConfig) *httput | |||
} | |||
director := httputil.NewSingleHostReverseProxy(target).Director | |||
|
|||
req.Header.Add("X-Forwarded-Host", req.Host) | |||
if req.Header.Get("X-Forwarded-Host") == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is one more instance where a new X-Forwarded-Host is not added if there is already one in the request.
@@ -427,7 +427,7 @@ func TestRoundTrip(t *testing.T) { | |||
}{ | |||
{ | |||
name: "no error", | |||
url: "https://www.example.com/", | |||
url: "http://www.example.com/", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like it's already been fixed actually.
@bertjwregeer Thanks for the review! I was going to leave a similar comment regarding the @sporkmonger Going to run some integration tests and see if I can get this merged this afternoon. |
@jphines I'm a maintainer for a pure python web server, I've been knee deep in |
Much appreciated. I’m pretty familiar with `X-Forwarded-For`, but hadn’t
ever needed to handle `X-Forwarded-Host` prior.
|
When pointing the proxy directly at an AWS ALB, e.g., the host name will be
xxx.yyy.zzz.elb.amazonaws.com
, however the service itself will typically be expecting a hostname akin toservicename.intranet.company.com
. This change adds a config option that will send the originalHost
header sent by the client through without change. It also changes the behavior of theX-Forwarded-Host
header handling code so that the header will only be set if it doesn't already exist. Currently the existing code will create a secondX-Forwarded-Host
with potentially a different value if there's a proxy chain, which seems likely to be a bug.Since the new config option is named
PreserveHost
and the default zero value isfalse
, the default behavior should continue to be the current behavior. However for either config value this will fix the brokenX-Forwarded-Host
behavior.Fixes #52. Will conflict with #49. I'll clean up whichever gets merged second.