forward-auth: fix special character support for nginx (#1578)

.devcontainer/envs/nginx.yaml

@@ -1,7 +1,7 @@
 version: "3"
 services:
   nginx:
-    image: nginx
+    image: openresty/openresty
     restart: unless-stopped
     ports:
       - "80:80"

authorize/grpc.go

@@ -48,7 +48,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v2.CheckRe
 		fwdAuthURI := getForwardAuthURL(hreq)
 		in.Attributes.Request.Http.Scheme = fwdAuthURI.Scheme
 		in.Attributes.Request.Http.Host = fwdAuthURI.Host
-		in.Attributes.Request.Http.Path = fwdAuthURI.Path
+		in.Attributes.Request.Http.Path = fwdAuthURI.EscapedPath()
 		if fwdAuthURI.RawQuery != "" {
 			in.Attributes.Request.Http.Path += "?" + fwdAuthURI.RawQuery
 		}
@@ -194,8 +194,13 @@ func getForwardAuthURL(r *http.Request) *url.URL {
 			Path:   r.Header.Get(httputil.HeaderForwardedURI),
 		}
 	}
-	// todo(bdd): handle httputil.HeaderOriginalURL which incorporates
-	// 			  path and query params
+	originalURL := r.Header.Get(httputil.HeaderOriginalURL)
+	if originalURL != "" {
+		k, _ := urlutil.ParseAndValidateURL(originalURL)
+		if k != nil {
+			u = k
+		}
+	}
 	return u
 }
 

examples/nginx/httpbin.conf

@@ -37,7 +37,8 @@ server {
     client_max_body_size 1m;
 
     # Pass the extracted client certificate to the auth provider
-    set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri;
+
+    set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri;
     proxy_pass $target;
   }
 
@@ -45,7 +46,7 @@ server {
     internal;
     add_header Set-Cookie $auth_cookie;
     return 302
-      https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri;
+      https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri&rd=$pass_access_scheme://$http_host$escaped_request_uri;
   }
 
   location / {

examples/nginx/proxy.conf

@@ -19,6 +19,8 @@ proxy_set_header Upgrade $http_upgrade;
 
 proxy_set_header Connection "";
 
+set_escape_uri $escaped_request_uri $request_uri;
+
 # proxy_set_header X-Request-ID $req_id;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $remote_addr;

proxy/forward_auth.go

@@ -16,7 +16,6 @@ import (
 // see : https://www.pomerium.io/configuration/#forward-auth
 func (p *Proxy) registerFwdAuthHandlers() http.Handler {
 	r := httputil.NewRouter()
-
 	// NGNIX's forward-auth capabilities are split across two settings:
 	// `auth-url` and `auth-signin` which correspond to `verify` and `auth-url`
 	//
@@ -46,9 +45,9 @@ func (p *Proxy) registerFwdAuthHandlers() http.Handler {
 	r.Handle("/", httputil.HandlerFunc(p.startAuthN)).
 		Queries(urlutil.QueryForwardAuthURI, "{uri}")
 
-	// nginx 2 / traefik 1: verify and then start authenticate flow
-	r.Handle("/", httputil.HandlerFunc(p.allowUpstream))
-
+	// otherwise, send a 200 OK for any other route.
+	// these routes do _not_ enforce authZ, they are helper routes.
+	r.NotFoundHandler = httputil.HandlerFunc(p.allowUpstream)
 	return r
 }