diff --git a/.devcontainer/envs/nginx.yaml b/.devcontainer/envs/nginx.yaml index 40e443c17..c79504f35 100644 --- a/.devcontainer/envs/nginx.yaml +++ b/.devcontainer/envs/nginx.yaml @@ -1,7 +1,7 @@ version: "3" services: nginx: - image: nginx + image: openresty/openresty restart: unless-stopped ports: - "80:80" diff --git a/authorize/grpc.go b/authorize/grpc.go index 7345a088b..0e960ee22 100644 --- a/authorize/grpc.go +++ b/authorize/grpc.go @@ -48,7 +48,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v2.CheckRe fwdAuthURI := getForwardAuthURL(hreq) in.Attributes.Request.Http.Scheme = fwdAuthURI.Scheme in.Attributes.Request.Http.Host = fwdAuthURI.Host - in.Attributes.Request.Http.Path = fwdAuthURI.Path + in.Attributes.Request.Http.Path = fwdAuthURI.EscapedPath() if fwdAuthURI.RawQuery != "" { in.Attributes.Request.Http.Path += "?" + fwdAuthURI.RawQuery } @@ -194,8 +194,13 @@ func getForwardAuthURL(r *http.Request) *url.URL { Path: r.Header.Get(httputil.HeaderForwardedURI), } } - // todo(bdd): handle httputil.HeaderOriginalURL which incorporates - // path and query params + originalURL := r.Header.Get(httputil.HeaderOriginalURL) + if originalURL != "" { + k, _ := urlutil.ParseAndValidateURL(originalURL) + if k != nil { + u = k + } + } return u } diff --git a/examples/nginx/httpbin.conf b/examples/nginx/httpbin.conf index aabd52c32..a92e7b2e5 100644 --- a/examples/nginx/httpbin.conf +++ b/examples/nginx/httpbin.conf @@ -37,7 +37,8 @@ server { client_max_body_size 1m; # Pass the extracted client certificate to the auth provider - set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri; + + set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri; proxy_pass $target; } @@ -45,7 +46,7 @@ server { internal; add_header Set-Cookie $auth_cookie; return 302 - https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri; + https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri; } location / { diff --git a/examples/nginx/proxy.conf b/examples/nginx/proxy.conf index 79d735c1f..17b086457 100644 --- a/examples/nginx/proxy.conf +++ b/examples/nginx/proxy.conf @@ -19,6 +19,8 @@ proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection ""; +set_escape_uri $escaped_request_uri $request_uri; + # proxy_set_header X-Request-ID $req_id; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; diff --git a/proxy/forward_auth.go b/proxy/forward_auth.go index 193afca1e..a784af902 100644 --- a/proxy/forward_auth.go +++ b/proxy/forward_auth.go @@ -16,7 +16,6 @@ import ( // see : https://www.pomerium.io/configuration/#forward-auth func (p *Proxy) registerFwdAuthHandlers() http.Handler { r := httputil.NewRouter() - // NGNIX's forward-auth capabilities are split across two settings: // `auth-url` and `auth-signin` which correspond to `verify` and `auth-url` // @@ -46,9 +45,9 @@ func (p *Proxy) registerFwdAuthHandlers() http.Handler { r.Handle("/", httputil.HandlerFunc(p.startAuthN)). Queries(urlutil.QueryForwardAuthURI, "{uri}") - // nginx 2 / traefik 1: verify and then start authenticate flow - r.Handle("/", httputil.HandlerFunc(p.allowUpstream)) - + // otherwise, send a 200 OK for any other route. + // these routes do _not_ enforce authZ, they are helper routes. + r.NotFoundHandler = httputil.HandlerFunc(p.allowUpstream) return r }