From 0537dd63d4c2836e77d459bc4099175c4a5d47af Mon Sep 17 00:00:00 2001 From: Travis Groth Date: Mon, 21 Sep 2020 15:58:46 -0400 Subject: [PATCH] proxy: always use https for application callback (#1433) --- proxy/forward_auth.go | 5 +++-- proxy/forward_auth_test.go | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/proxy/forward_auth.go b/proxy/forward_auth.go index 597ef840c..0d55a118f 100644 --- a/proxy/forward_auth.go +++ b/proxy/forward_auth.go @@ -168,10 +168,11 @@ func getURIStringFromRequest(r *http.Request) (*url.URL, error) { // or inferred from forwarding headers uriString := r.FormValue("uri") if uriString == "" { - if r.Header.Get(httputil.HeaderForwardedProto) == "" || r.Header.Get(httputil.HeaderForwardedHost) == "" { + if r.Header.Get(httputil.HeaderForwardedHost) == "" { return nil, errors.New("no uri to validate") } - uriString = r.Header.Get(httputil.HeaderForwardedProto) + "://" + + // Always assume HTTPS for application callback + uriString = "https://" + r.Header.Get(httputil.HeaderForwardedHost) + r.Header.Get(httputil.HeaderForwardedURI) } diff --git a/proxy/forward_auth_test.go b/proxy/forward_auth_test.go index 1465bcc63..9e3bfde9e 100644 --- a/proxy/forward_auth_test.go +++ b/proxy/forward_auth_test.go @@ -75,6 +75,7 @@ func TestProxy_ForwardAuth(t *testing.T) { {"bad traefik callback bad session", opts, nil, http.MethodGet, map[string]string{httputil.HeaderForwardedURI: "https://some.domain.example?" + urlutil.QuerySessionEncrypted + "=" + goodEncryptionString + "garbage"}, nil, "https://some.domain.example/", "https://some.domain.example", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, allowClient, http.StatusBadRequest, ""}, {"bad traefik callback bad url", opts, nil, http.MethodGet, map[string]string{httputil.HeaderForwardedURI: urlutil.QuerySessionEncrypted + ""}, nil, "https://some.domain.example/", "https://some.domain.example", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, allowClient, http.StatusBadRequest, ""}, {"good traefik verify uri from headers", opts, nil, http.MethodGet, map[string]string{httputil.HeaderForwardedProto: "https", httputil.HeaderForwardedHost: "some.domain.example:8080"}, nil, "https://some.domain.example/", "", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, allowClient, http.StatusOK, ""}, + {"good traefik verify uri from insecure headers", opts, nil, http.MethodGet, map[string]string{httputil.HeaderForwardedProto: "http", httputil.HeaderForwardedHost: "some.domain.example:8080"}, nil, "https://some.domain.example/", "", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, allowClient, http.StatusOK, ""}, // // nginx {"good nginx callback redirect", opts, nil, http.MethodGet, nil, map[string]string{urlutil.QueryRedirectURI: "https://some.domain.example/", urlutil.QuerySessionEncrypted: goodEncryptionString}, "https://some.domain.example/", "https://some.domain.example", &mock.Encoder{}, &mstore.Store{Session: &sessions.State{Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}}, allowClient, http.StatusFound, ""},