Add support for https in proxy request for external authentication

2017-04-24 22:14:38 -03:00 · 2017-04-24 22:14:38 -03:00 · ab1f04b9c2
commit ab1f04b9c2
parent db4cbac2e8
2 changed files with 24 additions and 4 deletions
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -199,6 +199,8 @@ http {
    # In case of errors try the next upstream server before returning an error
    proxy_next_upstream                     error timeout invalid_header http_502 http_503 http_504{{ if $cfg.RetryNonIdempotent }} non_idempotent{{ end }};

+    proxy_ssl_session_reuse on;
+
    {{range $name, $upstream := $backends}}
    upstream {{$upstream.Name}} {
        {{ if eq $upstream.SessionAffinity.AffinityType "cookie" }}
@ -273,11 +275,14 @@ http {
            proxy_set_header            Content-Length "";
            {{ end }}
            {{ if not (empty $location.ExternalAuth.Method) }}
-            proxy_method {{ $location.ExternalAuth.Method }};
-            proxy_set_header X-Original-URI $request_uri;
-            proxy_set_header X-Scheme       $pass_access_scheme;
+            proxy_method                {{ $location.ExternalAuth.Method }};
+            proxy_set_header            X-Original-URI $request_uri;
+            proxy_set_header            X-Scheme       $pass_access_scheme;
            {{ end }}
            proxy_pass_request_headers  on;
+            proxy_set_header            Host {{ $location.ExternalAuth.Host }};
+            proxy_ssl_server_name       on;            
+
            set $target {{ $location.ExternalAuth.URL }};
            proxy_pass $target;
        }
--- a/core/pkg/ingress/annotations/authreq/main.go
+++ b/core/pkg/ingress/annotations/authreq/main.go
@ -38,7 +38,9 @@ const (

 // External returns external authentication configuration for an Ingress rule
 type External struct {
-	URL             string   `json:"url"`
+	URL string `json:"url"`
+	// Host contains the hostname defined in the URL
+	Host            string   `json:"host"`
 	SigninURL       string   `json:"signinUrl"`
 	Method          string   `json:"method"`
 	SendBody        bool     `json:"sendBody"`
@ -129,9 +131,22 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {

 	return &External{
 		URL:             str,
+		Host:            stripPort(ur.Host),
 		SigninURL:       signin,
 		Method:          m,
 		SendBody:        sb,
 		ResponseHeaders: h,
 	}, nil
 }
+
+// TODO: Remove after upgrade to Go 1.8
+func stripPort(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return hostport
+	}
+	if i := strings.IndexByte(hostport, ']'); i != -1 {
+		return strings.TrimPrefix(hostport[:i], "[")
+	}
+	return hostport[:colon]
+}