sso-proxy: add preserve host configuration option #55
Conversation
sporkmonger
force-pushed
the
preserve-host-config
branch
3 times, most recently
from
7a4bd0f
to
f362a2e
Compare
|
Ready for review. |
sporkmonger
force-pushed
the
preserve-host-config
branch
3 times, most recently
from
40c5338
to
2f0eb24
Compare
|
I think this could be a table-driven test as well, but would need to edit existing tests rather than creating new ones I think. |
sporkmonger
force-pushed
the
preserve-host-config
branch
from
2f0eb24
to
b262bfe
Compare
internal/proxy/oauthproxy_test.go
Outdated
| @@ -263,6 +263,129 @@ func TestNewReverseProxyTLSSkipVerify(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| func TestNewReverseProxyPreserveHost(t *testing.T) { | |||
There was a problem hiding this comment.
can we make these table drive tests as well?
There was a problem hiding this comment.
Almost done w/ these and so far confirmed that replacing a bunch of test functions w/ two bigger table-driven test functions hasn't altered code coverage.
internal/proxy/proxy_config.go
Outdated
| @@ -81,6 +82,7 @@ type OptionsConfig struct { | |||
| SkipAuthRegex []string `yaml:"skip_auth_regex"` | |||
| AllowedGroups []string `yaml:"allowed_groups"` | |||
| TLSSkipVerify bool `yaml:"tls_skip_verify"` | |||
| PreserveHost bool `yaml:"preserve_host"` | |||
There was a problem hiding this comment.
might be good to add a config unit test as well
|
👋 hi @sporkmonger! I'll be helping you get this PR merged! Looks like there are some lingering comments from @shrayolacrayon -- is there anything from us you need to get those resolved? |
|
Hey, sorry about the delay, was heads-down on the Azure AD PR. I’ve got this on my plate next. |
mreiferson
changed the title
sporkmonger
force-pushed
the
preserve-host-config
branch
from
e61ec54
to
98c64ce
Compare
|
This should be ready to review again. |
|
Having two is not a bug. HTTP header folding will change: into: It is up to client libraries to parse the Yes, why do you have to count the proxies you trust, well because the following: And the application is configured to only support 3 proxies, then Please don't remove the multiple |
|
I'd advocate for using https://tools.ietf.org/html/rfc7239, which is actually specified, unlike |
internal/proxy/oauthproxy.go
Outdated
| @@ -212,9 +214,13 @@ func NewRewriteReverseProxy(route *RewriteRoute, config *UpstreamConfig) *httput | |||
| } | |||
| director := httputil.NewSingleHostReverseProxy(target).Director | |||
|
|
|||
| req.Header.Add("X-Forwarded-Host", req.Host) | |||
| if req.Header.Get("X-Forwarded-Host") == "" { | |||
There was a problem hiding this comment.
Here is one more instance where a new X-Forwarded-Host is not added if there is already one in the request.
| @@ -427,7 +427,7 @@ func TestRoundTrip(t *testing.T) { | |||
| }{ | |||
| { | |||
| name: "no error", | |||
| url: "https://www.example.com/", | |||
| url: "http://www.example.com/", | |||
There was a problem hiding this comment.
Looks like it's already been fixed actually.
|
@bertjwregeer Thanks for the review! I was going to leave a similar comment regarding the @sporkmonger Going to run some integration tests and see if I can get this merged this afternoon. |
|
@jphines I'm a maintainer for a pure python web server, I've been knee deep in |
|
Much appreciated. I’m pretty familiar with `X-Forwarded-For`, but hadn’t
ever needed to handle `X-Forwarded-Host` prior.
|
When pointing the proxy directly at an AWS ALB, e.g., the host name will be
xxx.yyy.zzz.elb.amazonaws.com, however the service itself will typically be expecting a hostname akin toservicename.intranet.company.com. This change adds a config option that will send the originalHostheader sent by the client through without change. It also changes the behavior of theX-Forwarded-Hostheader handling code so that the header will only be set if it doesn't already exist. Currently the existing code will create a secondX-Forwarded-Hostwith potentially a different value if there's a proxy chain, which seems likely to be a bug.Since the new config option is named
PreserveHostand the default zero value isfalse, the default behavior should continue to be the current behavior. However for either config value this will fix the brokenX-Forwarded-Hostbehavior.Fixes #52. Will conflict with #49. I'll clean up whichever gets merged second.