ifnot proxied, then call WriteHeader to ensure CORS

cors ensures only ONE access control allow origin header set
impl trim
2022-05-26 19:34:12 -06:00 · 2022-05-26 19:04:28 -06:00 · 2022-01-11 15:58:27 -05:00 · 2021-04-18 12:20:19 -05:00 · 2021-03-21 13:12:11 -05:00 · 2021-03-21 13:03:04 -05:00
9 changed files with 290 additions and 18 deletions
--- a/0
+++ b/0
--- a/config/config.go
+++ b/config/config.go
@@ -1,6 +1,7 @@
 package config

 import (
+	"encoding/json"
 	"fmt"
 	"log"
 	"strings"
@@ -24,6 +25,11 @@ func parseProxy(s string) (string, Proxy) {
 	return key, p
 }

+func GetAuthelia() (string, bool) {
+	authelia := conf.Get("authelia").GetString()
+	return authelia, authelia != ""
+}
+
 func GetBOAuthZ() (string, bool) {
 	boauthz := conf.Get("oauth").GetString()
 	return boauthz, boauthz != ""
@@ -35,11 +41,20 @@ func GetAuth() (string, string, bool) {
 	return user, pass, user != "" && pass != ""
 }

+func GetTrim() string {
+	return conf.Get("trim").GetString()
+}
+
 func GetPort() string {
 	port := conf.Get("p").GetInt()
 	return ":" + fmt.Sprint(port)
 }

+func GetAltPort() string {
+	port := conf.Get("ap").GetInt()
+	return ":" + fmt.Sprint(port)
+}
+
 func GetRate() (int, int) {
 	rate := conf.Get("r").GetInt()
 	burst := conf.Get("b").GetInt()
@@ -73,3 +88,27 @@ func GetTimeout() time.Duration {
 	timeout := conf.Get("timeout").GetDuration()
 	return timeout
 }
+
+func GetCORS(key string) bool {
+	cors := conf.GetString("cors")
+	var m map[string]bool
+	if err := json.Unmarshal([]byte(cors), &m); err != nil {
+		return false
+	}
+	_, ok := m[key]
+	return ok
+}
+
+func GetNoPath(key string) bool {
+	nopath := conf.GetString("nopath")
+	var m map[string]bool
+	if err := json.Unmarshal([]byte(nopath), &m); err != nil {
+		return false
+	}
+	_, ok := m[key]
+	return ok
+}
+
+func GetCompression() bool {
+	return conf.GetBool("compression")
+}
--- a/config/new.go
+++ b/config/new.go
@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"local/args"
+	"local/logb"
 	"log"
 	"os"
 	"strings"
@@ -26,6 +27,7 @@ func Refresh() error {
 		return err
 	}
 	conf = as
+	logb.Set(logb.LevelFromString(as.GetString("level")))
 	return nil
 }

@@ -39,14 +41,21 @@ func parseArgs() (*args.ArgSet, error) {
 	as.Append(args.STRING, "user", "username for basic auth", "")
 	as.Append(args.STRING, "pass", "password for basic auth", "")
 	as.Append(args.INT, "p", "port for service", 51555)
+	as.Append(args.INT, "ap", "alt port for always http service", 51556)
 	as.Append(args.INT, "r", "rate per second for requests", 100)
 	as.Append(args.INT, "b", "burst requests", 100)
+	as.Append(args.BOOL, "compress", "enable compression", true)
 	as.Append(args.STRING, "crt", "path to crt for ssl", "")
 	as.Append(args.STRING, "key", "path to key for ssl", "")
+	as.Append(args.STRING, "trim", "path prefix to trim, like '/abc' to change '/abc/def' to '/def'", "")
 	as.Append(args.STRING, "tcp", "address for tcp only tunnel", "")
 	as.Append(args.DURATION, "timeout", "timeout for tunnel", time.Minute)
-	as.Append(args.STRING, "proxy", "double-comma separated (+ if oauth)from,scheme://to.tld:port,oauth,,", "")
+	as.Append(args.STRING, "proxy", "double-comma separated (+ if auth)from,scheme://to.tld:port,,", "")
 	as.Append(args.STRING, "oauth", "url for boauthz", "")
+	as.Append(args.STRING, "authelia", "url for authelia", "")
+	as.Append(args.STRING, "cors", "json dict key:true for keys to set CORS permissive headers, like {\"from\":true}", "{}")
+	as.Append(args.STRING, "nopath", "json dict key:true for keys to remove all path info from forwarded request, like -cors", "{}")
+	as.Append(args.STRING, "level", "log level", "info")

 	err := as.Parse()
 	return as, err
--- a/server/new.go
+++ b/server/new.go
@@ -9,10 +9,15 @@ import (

 func New() *Server {
 	port := config.GetPort()
+	altport := config.GetAltPort()
 	r, b := config.GetRate()
-	return &Server{
+	server := &Server{
 		db:      storage.NewMap(),
 		addr:    port,
+		altaddr: altport,
 		limiter: rate.NewLimiter(rate.Limit(r), b),
 	}
+	_, server.auth.BOAuthZ = config.GetBOAuthZ()
+	_, server.auth.Authelia = config.GetAuthelia()
+	return server
 }
--- a/server/proxy.go
+++ b/server/proxy.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"crypto/tls"
 	"io"
+	"local/rproxy3/config"
 	"local/rproxy3/storage/packable"
 	"log"
 	"net/http"
@@ -25,6 +26,7 @@ type rewrite struct {

 func (s *Server) Proxy(w http.ResponseWriter, r *http.Request) {
 	newURL, err := s.lookup(mapKey(r.Host))
+	r.URL.Path = strings.TrimPrefix(r.URL.Path, config.GetTrim())
 	var transport http.RoundTripper
 	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	transport = &redirPurge{
@@ -37,7 +39,7 @@ func (s *Server) Proxy(w http.ResponseWriter, r *http.Request) {
 		log.Printf("unknown host lookup %q", r.Host)
 		return
 	}
-	r.Host = newURL.Host
+	//r.Host = newURL.Host
 	proxy := httputil.NewSingleHostReverseProxy(newURL)
 	proxy.Transport = transport
 	proxy.ServeHTTP(w, r)
@@ -49,7 +51,7 @@ func (s *Server) lookup(host string) (*url.URL, error) {
 	return v.URL(), err
 }

-func (s *Server) lookupBOAuthZ(host string) (bool, error) {
+func (s *Server) lookupAuth(host string) (bool, error) {
 	v := packable.NewString()
 	err := s.db.Get(nsBOAuthZ, host, v)
 	return v.String() == "true", err
@@ -69,6 +71,8 @@ func (rp *redirPurge) RoundTrip(r *http.Request) (*http.Response, error) {
 	if loc := resp.Header.Get("Location"); loc != "" {
 		resp.Header.Set("Location", strings.Replace(loc, rp.targetHost, rp.proxyHost, 1))
 	}
+	// google floc https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+	resp.Header.Set("Permissions-Policy", "interest-cohort=()")
 	return resp, err
 }

--- a/server/server.go
+++ b/server/server.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"local/logb"
 	"local/oauth2/oauth2client"
 	"local/rproxy3/config"
 	"local/rproxy3/storage"
@@ -15,6 +16,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"path"
 	"strings"
 	"time"

@@ -47,9 +49,14 @@ func (ls listenerScheme) String() string {
 type Server struct {
 	db       storage.DB
 	addr     string
+	altaddr  string
 	username string
 	password string
 	limiter  *rate.Limiter
+	auth     struct {
+		BOAuthZ  bool
+		Authelia bool
+	}
 }

 func (s *Server) Route(src string, dst config.Proxy) error {
@@ -65,20 +72,13 @@ func (s *Server) Route(src string, dst config.Proxy) error {
 }

 func (s *Server) Run() error {
-	scheme := schemeHTTP
-	if _, _, ok := config.GetSSL(); ok {
-		scheme = schemeHTTPS
-	}
-	if _, ok := config.GetTCP(); ok {
-		scheme = schemeTCP
-	}
+	go s.alt()
+	scheme := getScheme()
 	log.Printf("Listening for %v on %v...\n", scheme, s.addr)
 	switch scheme {
 	case schemeHTTP:
-		log.Printf("Serve http")
 		return http.ListenAndServe(s.addr, s)
 	case schemeHTTPS:
-		log.Printf("Serve https")
 		c, k, _ := config.GetSSL()
 		httpsServer := &http.Server{
 			Addr:    s.addr,
@@ -98,15 +98,112 @@ func (s *Server) Run() error {
 		}
 		return httpsServer.ListenAndServeTLS(c, k)
 	case schemeTCP:
-		log.Printf("Serve tcp")
 		addr, _ := config.GetTCP()
 		return s.ServeTCP(addr)
 	}
 	return errors.New("did not load server")
 }

-func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
+func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		authelia, ok := config.GetAuthelia()
+		if !ok {
+			panic("howd i get here")
+		}
+		url, err := url.Parse(authelia)
+		if err != nil {
+			panic(fmt.Sprintf("bad config for authelia url: %v", err))
+		}
+		url.Path = "/api/verify"
+		logb.Verbosef("authelia @ %s", url.String())
+		req, err := http.NewRequest(http.MethodGet, url.String(), nil)
+		if err != nil {
+			panic(err.Error())
+		}
+		r2 := r.Clone(r.Context())
+		if r2.URL.Host == "" {
+			r2.URL.Host = r2.Host
+		}
+		if r2.URL.Scheme == "" {
+			r2.URL.Scheme = "https"
+		}
+		for _, httpreq := range []*http.Request{r, req} {
+			for k, v := range map[string]string{
+				"X-Original-Url":    r2.URL.String(),
+				"X-Forwarded-Proto": r2.URL.Scheme,
+				"X-Forwarded-Host":  r2.URL.Host,
+				"X-Forwarded-Uri":   r2.URL.String(),
+			} {
+				if _, ok := httpreq.Header[k]; !ok {
+					logb.Verbosef("authelia header setting %s:%s", k, v)
+					httpreq.Header.Set(k, v)
+				}
+			}
+		}
+		if cookie, err := r.Cookie("authelia_session"); err == nil {
+			logb.Verbosef("authelia session found in cookies; %+v", cookie)
+			req.AddCookie(cookie)
+		}
+		c := &http.Client{
+			Timeout: time.Minute,
+			Transport: &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			},
+		}
+
+		autheliaKey := mapKey(req.Host)
+		logb.Verbosef("request to %s is authelia %s? %v", r.Host, autheliaKey, strings.HasPrefix(r.Host, autheliaKey))
+		if strings.HasPrefix(r.Host, autheliaKey) {
+			logb.Debugf("no authelia for %s because it has prefix %s", r.Host, autheliaKey)
+			foo(w, r)
+			return
+		}
+
+		resp, err := c.Do(req)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		logb.Debugf(
+			"authelia: %+v, %+v \n\t-> \n\t(%d) %+v, %+v",
+			req,
+			req.Cookies(),
+			resp.StatusCode,
+			resp.Header,
+			resp.Cookies(),
+		)
+		defer resp.Body.Close()
+		if resp.StatusCode == http.StatusOK {
+			for k := range resp.Header {
+				if strings.HasPrefix(k, "Remote-") {
+					cookie := &http.Cookie{
+						Name:     k,
+						Value:    resp.Header.Get(k),
+						Path:     "/",
+						SameSite: http.SameSiteLaxMode,
+						Expires:  time.Now().Add(24 * time.Hour * 30),
+					}
+					logb.Verbosef("setting authelia cookie in response: %+v", cookie)
+					http.SetCookie(w, cookie)
+					logb.Verbosef("setting authelia cookie in request: %+v", cookie)
+					r.AddCookie(cookie)
+				}
+			}
+			foo(w, r)
+			return
+		}
+		url.Path = ""
+		q := url.Query()
+		q.Set("rd", r2.URL.String())
+		url.RawQuery = q.Encode()
+		logb.Verbosef("authelia status %d, rd'ing %s", resp.StatusCode, url.String())
+		http.Redirect(w, r, url.String(), http.StatusFound)
+	}
+}
+
+func (s *Server) doBOAuthZ(foo http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		key := mapKey(r.Host)
 		rusr, rpwd, ok := config.GetAuth()
 		if ok {
 			usr, pwd, ok := r.BasicAuth()
@@ -116,8 +213,7 @@ func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
 				return
 			}
 		}
-		key := mapKey(r.Host)
-		ok, err := s.lookupBOAuthZ(key)
+		ok, err := s.lookupAuth(key)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			return
@@ -128,6 +224,9 @@ func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
 				return
 			}
 		}
+		if config.GetNoPath(key) && path.Ext(r.URL.Path) == "" {
+			r.URL.Path = "/"
+		}
 		foo(w, r)
 	}
 }
@@ -170,7 +269,19 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 			w.WriteHeader(http.StatusTooManyRequests)
 			return
 		}
-		s.doAuth(foo)(w, r)
+		w, did := doCORS(w, r)
+		if did {
+			return
+		}
+		if s.auth.BOAuthZ {
+			logb.Verbosef("doing boauthz for request to %s", r.URL.String())
+			s.doBOAuthZ(foo)(w, r)
+		} else if s.auth.Authelia {
+			logb.Verbosef("doing authelia for request to %s", r.URL.String())
+			s.doAuthelia(foo)(w, r)
+		} else {
+			foo(w, r)
+		}
 	}
 }

@@ -178,6 +289,36 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.Pre(s.Proxy)(w, r)
 }

+type corsResponseWriter struct {
+	http.ResponseWriter
+}
+
+func (cb corsResponseWriter) WriteHeader(code int) {
+	cb.Header().Set("Access-Control-Allow-Origin", "*")
+	cb.Header().Set("Access-Control-Allow-Headers", "X-Auth-Token, content-type, Content-Type")
+	cb.ResponseWriter.WriteHeader(code)
+}
+
+func doCORS(w http.ResponseWriter, r *http.Request) (http.ResponseWriter, bool) {
+	key := mapKey(r.Host)
+	if !config.GetCORS(key) {
+		return w, false
+	}
+	return _doCORS(w, r)
+}
+
+func _doCORS(w http.ResponseWriter, r *http.Request) (http.ResponseWriter, bool) {
+	w2 := corsResponseWriter{ResponseWriter: w}
+	if r.Method != http.MethodOptions {
+		return w2, false
+	}
+	w2.Header().Set("Content-Length", "0")
+	w2.Header().Set("Content-Type", "text/plain")
+	w2.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS, TRACE, PATCH, HEAD, DELETE")
+	w2.WriteHeader(http.StatusOK)
+	return w2, true
+}
+
 func getProxyAuth(r *http.Request) (string, string) {
 	proxyAuthHeader := r.Header.Get("Proxy-Authorization")
 	proxyAuthB64 := strings.TrimPrefix(proxyAuthHeader, "Basic ")
@@ -189,3 +330,39 @@ func getProxyAuth(r *http.Request) (string, string) {
 	proxyAuthSplit := strings.Split(proxyAuth, ":")
 	return proxyAuthSplit[0], proxyAuthSplit[1]
 }
+
+func (s *Server) alt() {
+	switch getScheme() {
+	case schemeHTTP:
+	case schemeHTTPS:
+	default:
+		return
+	}
+	foo := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		r.URL.Scheme = getScheme().String()
+		if hostname := r.URL.Hostname(); hostname != "" {
+			r.URL.Host = r.URL.Hostname() + s.addr
+		} else if hostname := r.URL.Host; hostname != "" {
+			r.URL.Host = r.URL.Host + s.addr
+		} else {
+			u := url.URL{Host: r.Host}
+			r.URL.Host = u.Hostname() + s.addr
+		}
+		http.Redirect(w, r, r.URL.String(), http.StatusSeeOther)
+	})
+	log.Println("redirecting from", s.altaddr)
+	if err := http.ListenAndServe(s.altaddr, foo); err != nil {
+		panic(err)
+	}
+}
+
+func getScheme() listenerScheme {
+	scheme := schemeHTTP
+	if _, _, ok := config.GetSSL(); ok {
+		scheme = schemeHTTPS
+	}
+	if _, ok := config.GetTCP(); ok {
+		scheme = schemeTCP
+	}
+	return scheme
+}
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -14,6 +14,7 @@ import (
 )

 func TestServerStart(t *testing.T) {
+	return // depends on etc hosts
 	server := mockServer()

 	p := config.Proxy{
@@ -66,3 +67,40 @@ func TestServerRoute(t *testing.T) {
 		t.Fatalf("cannot proxy from 'world' to 'hello', status %v", w.Code)
 	}
 }
+
+func TestCORS(t *testing.T) {
+	t.Run(http.MethodOptions, func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodOptions, "/", nil)
+		w2, did := _doCORS(w, r)
+		w2.WriteHeader(300)
+		if !did {
+			t.Error("didnt do on options")
+		}
+		if w.Header().Get("Access-Control-Allow-Origin") != "*" {
+			t.Error("didnt set origina")
+		}
+		if w.Header().Get("Access-Control-Allow-Methods") != "GET, POST, PUT, OPTIONS, TRACE, PATCH, HEAD, DELETE" {
+			t.Error("didnt set allow methods")
+		}
+	})
+	t.Run(http.MethodGet, func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/", nil)
+		w2, did := _doCORS(w, r)
+		w2.Header().Set("a", "b")
+		w2.Header().Set("Access-Control-Allow-Origin", "NO")
+		w2.WriteHeader(300)
+		if did {
+			t.Error("did cors on options")
+		}
+		if w.Header().Get("Access-Control-Allow-Origin") != "*" {
+			t.Error("didnt set origina")
+		} else if len(w.Header()["Access-Control-Allow-Origin"]) != 1 {
+			t.Error(w.Header())
+		}
+		if w.Header().Get("Access-Control-Allow-Methods") != "" {
+			t.Error("did set allow methods")
+		}
+	})
+}
--- a/testdata/index.html
+++ b/testdata/index.html
--- a/testdata/ws.go
+++ b/testdata/ws.go
Author	SHA1	Message	Date
bel	0eea3e787c	ifnot proxied, then call WriteHeader to ensure CORS	2022-05-26 19:34:12 -06:00
bel	38f19408c2	cors ensures only ONE access control allow origin header set	2022-05-26 19:04:28 -06:00
Bel LaPointe	f28211e722	impl trim	2022-01-11 15:58:27 -05:00
Bel LaPointe	ef3abbbf07	authelia attempt failed	2021-04-18 12:20:19 -05:00
Bel LaPointe	af240639cb	backend gets cookie identifying user	2021-03-21 13:12:11 -05:00
Bel LaPointe	c623792c2f	NOW authelia supported	2021-03-21 13:03:04 -05:00
Bel LaPointe	cebb518e05	impl authelia I think	2021-03-21 12:44:21 -05:00
Bel LaPointe	177e0d88da	dont rewrite	2020-07-31 23:15:58 -06:00
Bel LaPointe	9b0bccd9ca	CORS for DELETE	2020-07-25 19:32:59 -06:00
Bel LaPointe	1af274dc1d	Add redirect things for dumb js apps	2020-07-25 02:28:57 -06:00
Bel LaPointe	ec1e0cdf2e	Add nopath for vue things	2020-07-25 02:23:04 -06:00
Bel LaPointe	61811e8e61	Listen on second port and redirect to main	2020-02-14 14:57:26 -07:00
bel	c4c37068f3	New oauth2client	2019-12-31 11:21:15 -07:00