cors ensures only ONE access control allow origin header set

impl trim
authelia attempt failed
2022-05-26 19:04:28 -06:00 · 2022-01-11 15:58:27 -05:00 · 2021-04-18 12:20:19 -05:00 · 2021-03-21 13:12:11 -05:00 · 2021-03-21 13:03:04 -05:00 · 2021-03-21 12:44:21 -05:00
5 changed files with 200 additions and 8 deletions
--- a/config/config.go
+++ b/config/config.go
@@ -1,6 +1,7 @@
 package config
 import (
 	"encoding/json"
 	"fmt"
 	"log"
 	"strings"
@@ -24,6 +25,11 @@ func parseProxy(s string) (string, Proxy) {
 	return key, p
 }
 func GetAuthelia() (string, bool) {
 	authelia := conf.Get("authelia").GetString()
 	return authelia, authelia != ""
 }
 func GetBOAuthZ() (string, bool) {
 	boauthz := conf.Get("oauth").GetString()
 	return boauthz, boauthz != ""
@@ -35,6 +41,10 @@ func GetAuth() (string, string, bool) {
 	return user, pass, user != "" && pass != ""
 }
 func GetTrim() string {
 	return conf.Get("trim").GetString()
 }
 func GetPort() string {
 	port := conf.Get("p").GetInt()
 	return ":" + fmt.Sprint(port)
@@ -78,3 +88,27 @@ func GetTimeout() time.Duration {
 	timeout := conf.Get("timeout").GetDuration()
 	return timeout
 }
 func GetCORS(key string) bool {
 	cors := conf.GetString("cors")
 	var m map[string]bool
 	if err := json.Unmarshal([]byte(cors), &m); err != nil {
 		return false
 	}
 	_, ok := m[key]
 	return ok
 }
 func GetNoPath(key string) bool {
 	nopath := conf.GetString("nopath")
 	var m map[string]bool
 	if err := json.Unmarshal([]byte(nopath), &m); err != nil {
 		return false
 	}
 	_, ok := m[key]
 	return ok
 }
 func GetCompression() bool {
 	return conf.GetBool("compression")
 }
--- a/config/new.go
+++ b/config/new.go
@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"local/args"
 	"local/logb"
 	"log"
 	"os"
 	"strings"
@@ -26,6 +27,7 @@ func Refresh() error {
 		return err
 	}
 	conf = as
 	logb.Set(logb.LevelFromString(as.GetString("level")))
 	return nil
 }
@@ -42,12 +44,18 @@ func parseArgs() (*args.ArgSet, error) {
 	as.Append(args.INT, "ap", "alt port for always http service", 51556)
 	as.Append(args.INT, "r", "rate per second for requests", 100)
 	as.Append(args.INT, "b", "burst requests", 100)
 	as.Append(args.BOOL, "compress", "enable compression", true)
 	as.Append(args.STRING, "crt", "path to crt for ssl", "")
 	as.Append(args.STRING, "key", "path to key for ssl", "")
 	as.Append(args.STRING, "trim", "path prefix to trim, like '/abc' to change '/abc/def' to '/def'", "")
 	as.Append(args.STRING, "tcp", "address for tcp only tunnel", "")
 	as.Append(args.DURATION, "timeout", "timeout for tunnel", time.Minute)
-	as.Append(args.STRING, "proxy", "double-comma separated (+ if oauth)from,scheme://to.tld:port,oauth,,", "")
+	as.Append(args.STRING, "proxy", "double-comma separated (+ if auth)from,scheme://to.tld:port,,", "")
 	as.Append(args.STRING, "oauth", "url for boauthz", "")
 	as.Append(args.STRING, "authelia", "url for authelia", "")
 	as.Append(args.STRING, "cors", "json dict key:true for keys to set CORS permissive headers, like {\"from\":true}", "{}")
 	as.Append(args.STRING, "nopath", "json dict key:true for keys to remove all path info from forwarded request, like -cors", "{}")
 	as.Append(args.STRING, "level", "log level", "info")
 	err := as.Parse()
 	return as, err
--- a/server/new.go
+++ b/server/new.go
@@ -11,10 +11,13 @@ func New() *Server {
 	port := config.GetPort()
 	altport := config.GetAltPort()
 	r, b := config.GetRate()
-	return &Server{
+	server := &Server{
 		db:      storage.NewMap(),
 		addr:    port,
 		altaddr: altport,
 		limiter: rate.NewLimiter(rate.Limit(r), b),
 	}
 	_, server.auth.BOAuthZ = config.GetBOAuthZ()
 	_, server.auth.Authelia = config.GetAuthelia()
 	return server
 }
--- a/server/proxy.go
+++ b/server/proxy.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"crypto/tls"
 	"io"
 	"local/rproxy3/config"
 	"local/rproxy3/storage/packable"
 	"log"
 	"net/http"
@@ -25,6 +26,7 @@ type rewrite struct {
 func (s *Server) Proxy(w http.ResponseWriter, r *http.Request) {
 	newURL, err := s.lookup(mapKey(r.Host))
 	r.URL.Path = strings.TrimPrefix(r.URL.Path, config.GetTrim())
 	var transport http.RoundTripper
 	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	transport = &redirPurge{
@@ -37,7 +39,7 @@ func (s *Server) Proxy(w http.ResponseWriter, r *http.Request) {
 		log.Printf("unknown host lookup %q", r.Host)
 		return
 	}
-	r.Host = newURL.Host
+	//r.Host = newURL.Host
 	proxy := httputil.NewSingleHostReverseProxy(newURL)
 	proxy.Transport = transport
 	proxy.ServeHTTP(w, r)
@@ -49,7 +51,7 @@ func (s *Server) lookup(host string) (*url.URL, error) {
 	return v.URL(), err
 }
-func (s *Server) lookupBOAuthZ(host string) (bool, error) {
+func (s *Server) lookupAuth(host string) (bool, error) {
 	v := packable.NewString()
 	err := s.db.Get(nsBOAuthZ, host, v)
 	return v.String() == "true", err
@@ -69,6 +71,8 @@ func (rp *redirPurge) RoundTrip(r *http.Request) (*http.Response, error) {
 	if loc := resp.Header.Get("Location"); loc != "" {
 		resp.Header.Set("Location", strings.Replace(loc, rp.targetHost, rp.proxyHost, 1))
 	}
 	// google floc https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
 	resp.Header.Set("Permissions-Policy", "interest-cohort=()")
 	return resp, err
 }
--- a/server/server.go
+++ b/server/server.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"local/logb"
 	"local/oauth2/oauth2client"
 	"local/rproxy3/config"
 	"local/rproxy3/storage"
@@ -15,6 +16,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
 	"path"
 	"strings"
 	"time"
@@ -51,6 +53,10 @@ type Server struct {
 	username string
 	password string
 	limiter  *rate.Limiter
 	auth     struct {
 		BOAuthZ  bool
 		Authelia bool
 	}
 }
 func (s *Server) Route(src string, dst config.Proxy) error {
@@ -98,8 +104,106 @@ func (s *Server) Run() error {
 	return errors.New("did not load server")
 }
-func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
+func (s *Server) doAuthelia(foo http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		authelia, ok := config.GetAuthelia()
 		if !ok {
 			panic("howd i get here")
 		}
 		url, err := url.Parse(authelia)
 		if err != nil {
 			panic(fmt.Sprintf("bad config for authelia url: %v", err))
 		}
 		url.Path = "/api/verify"
 		logb.Verbosef("authelia @ %s", url.String())
 		req, err := http.NewRequest(http.MethodGet, url.String(), nil)
 		if err != nil {
 			panic(err.Error())
 		}
 		r2 := r.Clone(r.Context())
 		if r2.URL.Host == "" {
 			r2.URL.Host = r2.Host
 		}
 		if r2.URL.Scheme == "" {
 			r2.URL.Scheme = "https"
 		}
 		for _, httpreq := range []*http.Request{r, req} {
 			for k, v := range map[string]string{
 				"X-Original-Url":    r2.URL.String(),
 				"X-Forwarded-Proto": r2.URL.Scheme,
 				"X-Forwarded-Host":  r2.URL.Host,
 				"X-Forwarded-Uri":   r2.URL.String(),
 			} {
 				if _, ok := httpreq.Header[k]; !ok {
 					logb.Verbosef("authelia header setting %s:%s", k, v)
 					httpreq.Header.Set(k, v)
 				}
 			}
 		}
 		if cookie, err := r.Cookie("authelia_session"); err == nil {
 			logb.Verbosef("authelia session found in cookies; %+v", cookie)
 			req.AddCookie(cookie)
 		}
 		c := &http.Client{
 			Timeout: time.Minute,
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 			},
 		}
 		autheliaKey := mapKey(req.Host)
 		logb.Verbosef("request to %s is authelia %s? %v", r.Host, autheliaKey, strings.HasPrefix(r.Host, autheliaKey))
 		if strings.HasPrefix(r.Host, autheliaKey) {
 			logb.Debugf("no authelia for %s because it has prefix %s", r.Host, autheliaKey)
 			foo(w, r)
 			return
 		}
 		resp, err := c.Do(req)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
 		logb.Debugf(
 			"authelia: %+v, %+v \n\t-> \n\t(%d) %+v, %+v",
 			req,
 			req.Cookies(),
 			resp.StatusCode,
 			resp.Header,
 			resp.Cookies(),
 		)
 		defer resp.Body.Close()
 		if resp.StatusCode == http.StatusOK {
 			for k := range resp.Header {
 				if strings.HasPrefix(k, "Remote-") {
 					cookie := &http.Cookie{
 						Name:     k,
 						Value:    resp.Header.Get(k),
 						Path:     "/",
 						SameSite: http.SameSiteLaxMode,
 						Expires:  time.Now().Add(24 * time.Hour * 30),
 					}
 					logb.Verbosef("setting authelia cookie in response: %+v", cookie)
 					http.SetCookie(w, cookie)
 					logb.Verbosef("setting authelia cookie in request: %+v", cookie)
 					r.AddCookie(cookie)
 				}
 			}
 			foo(w, r)
 			return
 		}
 		url.Path = ""
 		q := url.Query()
 		q.Set("rd", r2.URL.String())
 		url.RawQuery = q.Encode()
 		logb.Verbosef("authelia status %d, rd'ing %s", resp.StatusCode, url.String())
 		http.Redirect(w, r, url.String(), http.StatusFound)
 	}
 }
 func (s *Server) doBOAuthZ(foo http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		key := mapKey(r.Host)
 		rusr, rpwd, ok := config.GetAuth()
 		if ok {
 			usr, pwd, ok := r.BasicAuth()
@@ -109,8 +213,7 @@ func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
 				return
 			}
 		}
-		key := mapKey(r.Host)
+		ok, err := s.lookupAuth(key)
 		ok, err := s.lookupBOAuthZ(key)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			return
@@ -121,6 +224,9 @@ func (s *Server) doAuth(foo http.HandlerFunc) http.HandlerFunc {
 				return
 			}
 		}
 		if config.GetNoPath(key) && path.Ext(r.URL.Path) == "" {
 			r.URL.Path = "/"
 		}
 		foo(w, r)
 	}
 }
@@ -163,7 +269,19 @@ func (s *Server) Pre(foo http.HandlerFunc) http.HandlerFunc {
 			w.WriteHeader(http.StatusTooManyRequests)
 			return
 		}
-		s.doAuth(foo)(w, r)
+		w, did := s.doCORS(w, r)
 		if did {
 			return
 		}
 		if s.auth.BOAuthZ {
 			logb.Verbosef("doing boauthz for request to %s", r.URL.String())
 			s.doBOAuthZ(foo)(w, r)
 		} else if s.auth.Authelia {
 			logb.Verbosef("doing authelia for request to %s", r.URL.String())
 			s.doAuthelia(foo)(w, r)
 		} else {
 			foo(w, r)
 		}
 	}
 }
@@ -171,6 +289,31 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	s.Pre(s.Proxy)(w, r)
 }
 type corsResponseWriter struct {
 	http.ResponseWriter
 }
 func (cb corsResponseWriter) WriteHeader(code int) {
 	cb.Header().Set("Access-Control-Allow-Origin", "*")
 	cb.Header().Set("Access-Control-Allow-Headers", "X-Auth-Token, content-type, Content-Type")
 	cb.ResponseWriter.WriteHeader(code)
 }
 func (s *Server) doCORS(w http.ResponseWriter, r *http.Request) (http.ResponseWriter, bool) {
 	key := mapKey(r.Host)
 	if !config.GetCORS(key) {
 		return w, false
 	}
 	w = corsResponseWriter{ResponseWriter: w}
 	if r.Method != "OPTIONS" {
 		return w, false
 	}
 	w.Header().Set("Content-Length", "0")
 	w.Header().Set("Content-Type", "text/plain")
 	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS, TRACE, PATCH, HEAD, DELETE")
 	return w, true
 }
 func getProxyAuth(r *http.Request) (string, string) {
 	proxyAuthHeader := r.Header.Get("Proxy-Authorization")
 	proxyAuthB64 := strings.TrimPrefix(proxyAuthHeader, "Basic ")
Author	SHA1	Message	Date
bel	38f19408c2	cors ensures only ONE access control allow origin header set	2022-05-26 19:04:28 -06:00
Bel LaPointe	f28211e722	impl trim	2022-01-11 15:58:27 -05:00
Bel LaPointe	ef3abbbf07	authelia attempt failed	2021-04-18 12:20:19 -05:00
Bel LaPointe	af240639cb	backend gets cookie identifying user	2021-03-21 13:12:11 -05:00
Bel LaPointe	c623792c2f	NOW authelia supported	2021-03-21 13:03:04 -05:00
Bel LaPointe	cebb518e05	impl authelia I think	2021-03-21 12:44:21 -05:00
Bel LaPointe	177e0d88da	dont rewrite	2020-07-31 23:15:58 -06:00
Bel LaPointe	9b0bccd9ca	CORS for DELETE	2020-07-25 19:32:59 -06:00
Bel LaPointe	1af274dc1d	Add redirect things for dumb js apps	2020-07-25 02:28:57 -06:00
Bel LaPointe	ec1e0cdf2e	Add nopath for vue things	2020-07-25 02:23:04 -06:00