Merge pull request #1435 from aledbf/master
Add header to upstream server for external authentication
This commit is contained in:
Manuel Alejandro de Brito Fontes
GitHub
commit
cb77efeb02
3 changed files with 4 additions and 37 deletions
|
|
@ -22,7 +22,6 @@ import (
|
|||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/url"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strconv"
|
||||
|
|
@ -150,7 +149,6 @@ var (
|
|||
"serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} {
|
||||
return struct{ First, Second interface{} }{all, server}
|
||||
},
|
||||
"buildAuthSignURL": buildAuthSignURL,
|
||||
"isValidClientBodyBufferSize": isValidClientBodyBufferSize,
|
||||
"buildForwardedFor": buildForwardedFor,
|
||||
}
|
||||
|
|
@ -567,22 +565,6 @@ func buildNextUpstream(input interface{}) string {
|
|||
return strings.Join(nextUpstreamCodes, " ")
|
||||
}
|
||||
|
||||
func buildAuthSignURL(input interface{}) string {
|
||||
s, ok := input.(string)
|
||||
if !ok {
|
||||
glog.Errorf("expected an 'string' type but %T was returned", input)
|
||||
return ""
|
||||
}
|
||||
|
||||
u, _ := url.Parse(s)
|
||||
q := u.Query()
|
||||
if len(q) == 0 {
|
||||
return fmt.Sprintf("%v?rd=$request_uri", s)
|
||||
}
|
||||
|
||||
return fmt.Sprintf("%v&rd=$request_uri", s)
|
||||
}
|
||||
|
||||
// buildRandomUUID return a random string to be used in the template
|
||||
func buildRandomUUID() string {
|
||||
s := uuid.New()
|
||||
|
|
|
|||
|
|
@ -310,24 +310,6 @@ func TestBuildResolvers(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestBuildAuthSignURL(t *testing.T) {
|
||||
urlOne := "http://google.com"
|
||||
validUrlOne := "http://google.com?rd=$request_uri"
|
||||
|
||||
urlTwo := "http://google.com?cat"
|
||||
validUrlTwo := "http://google.com?cat&rd=$request_uri"
|
||||
|
||||
authSignURLOne := buildAuthSignURL(urlOne)
|
||||
if authSignURLOne != validUrlOne {
|
||||
t.Errorf("Expected '%v' but returned '%v'", validUrlOne, authSignURLOne)
|
||||
}
|
||||
|
||||
authSignURLTwo := buildAuthSignURL(urlTwo)
|
||||
if authSignURLTwo != validUrlTwo {
|
||||
t.Errorf("Expected '%v' but returned '%v'", validUrlTwo, authSignURLTwo)
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildNextUpstream(t *testing.T) {
|
||||
nextUpstream := "timeout http_500 http_502 non_idempotent"
|
||||
validNextUpstream := "timeout http_500 http_502"
|
||||
|
|
|
|||
|
|
@ -687,7 +687,7 @@ stream {
|
|||
{{ end }}
|
||||
|
||||
{{ if not (empty $location.ExternalAuth.SigninURL) }}
|
||||
error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
|
||||
error_page 401 = $location.ExternalAuth.SigninURL;
|
||||
{{ end }}
|
||||
|
||||
{{/* if the location contains a rate limit annotation, create one */}}
|
||||
|
|
@ -746,6 +746,9 @@ stream {
|
|||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header X-Scheme $pass_access_scheme;
|
||||
|
||||
{{/* This header is used for external authentication */}}
|
||||
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||
|
||||
# mitigate HTTPoxy Vulnerability
|
||||
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
|
||||
proxy_set_header Proxy "";
|
||||
|
|
|
|||
Loading…
Reference in a new issue