Merge branch v2.4 into master

pkg/middlewares/auth/forward.go

@@ -26,6 +26,18 @@ const (
 	forwardedTypeName = "ForwardedAuthType"
 )
 
+// hopHeaders Hop-by-hop headers to be removed in the authentication request.
+// http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
+// Proxy-Authorization header is forwarded to the authentication server (see https://tools.ietf.org/html/rfc7235#section-4.4).
+var hopHeaders = []string{
+	forward.Connection,
+	forward.KeepAlive,
+	forward.Te, // canonicalized version of "TE"
+	forward.Trailers,
+	forward.TransferEncoding,
+	forward.Upgrade,
+}
+
 type forwardAuth struct {
 	address                  string
 	authResponseHeaders      []string
@@ -131,7 +143,7 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		logger.Debugf("Remote error %s. StatusCode: %d", fa.address, forwardResponse.StatusCode)
 
 		utils.CopyHeaders(rw.Header(), forwardResponse.Header)
-		utils.RemoveHeaders(rw.Header(), forward.HopHeaders...)
+		utils.RemoveHeaders(rw.Header(), hopHeaders...)
 
 		// Grab the location header, if any.
 		redirectURL, err := forwardResponse.Location()
@@ -187,7 +199,7 @@ func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 func writeHeader(req, forwardReq *http.Request, trustForwardHeader bool, allowedHeaders []string) {
 	utils.CopyHeaders(forwardReq.Header, req.Header)
-	utils.RemoveHeaders(forwardReq.Header, forward.HopHeaders...)
+	utils.RemoveHeaders(forwardReq.Header, hopHeaders...)
 
 	forwardReq.Header = filterForwardRequestHeaders(forwardReq.Header, allowedHeaders)
 

pkg/middlewares/auth/forward_test.go

@@ -26,6 +26,7 @@ func TestForwardAuthFail(t *testing.T) {
 	})
 
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set(forward.ProxyAuthenticate, "test")
 		http.Error(w, "Forbidden", http.StatusForbidden)
 	}))
 	t.Cleanup(server.Close)
@@ -48,6 +49,7 @@ func TestForwardAuthFail(t *testing.T) {
 	err = res.Body.Close()
 	require.NoError(t, err)
 
+	assert.Equal(t, "test", res.Header.Get(forward.ProxyAuthenticate))
 	assert.Equal(t, "Forbidden\n", string(body))
 }
 
@@ -142,7 +144,7 @@ func TestForwardAuthRedirect(t *testing.T) {
 func TestForwardAuthRemoveHopByHopHeaders(t *testing.T) {
 	authTs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		headers := w.Header()
-		for _, header := range forward.HopHeaders {
+		for _, header := range hopHeaders {
 			if header == forward.TransferEncoding {
 				headers.Set(header, "chunked")
 			} else {
@@ -367,11 +369,13 @@ func Test_writeHeader(t *testing.T) {
 			},
 			trustForwardHeader: false,
 			expectedHeaders: map[string]string{
-				"X-CustomHeader":     "CustomHeader",
-				"X-Forwarded-Proto":  "http",
-				"X-Forwarded-Host":   "foo.bar",
-				"X-Forwarded-Uri":    "/path?q=1",
-				"X-Forwarded-Method": "GET",
+				"X-CustomHeader":           "CustomHeader",
+				"X-Forwarded-Proto":        "http",
+				"X-Forwarded-Host":         "foo.bar",
+				"X-Forwarded-Uri":          "/path?q=1",
+				"X-Forwarded-Method":       "GET",
+				forward.ProxyAuthenticate:  "ProxyAuthenticate",
+				forward.ProxyAuthorization: "ProxyAuthorization",
 			},
 			checkForUnexpectedHeaders: true,
 		},

pkg/middlewares/forwardedheaders/forwarded_header.go

@@ -84,19 +84,28 @@ func (x *XForwarded) isTrustedIP(ip string) bool {
 // removeIPv6Zone removes the zone if the given IP is an ipv6 address and it has {zone} information in it,
 // like "[fe80::d806:a55d:eb1b:49cc%vEthernet (vmxnet3 Ethernet Adapter - Virtual Switch)]:64692".
 func removeIPv6Zone(clientIP string) string {
-	return strings.Split(clientIP, "%")[0]
+	if idx := strings.Index(clientIP, "%"); idx != -1 {
+		return clientIP[:idx]
+	}
+	return clientIP
 }
 
 // isWebsocketRequest returns whether the specified HTTP request is a websocket handshake request.
 func isWebsocketRequest(req *http.Request) bool {
 	containsHeader := func(name, value string) bool {
-		items := strings.Split(req.Header.Get(name), ",")
-		for _, item := range items {
-			if value == strings.ToLower(strings.TrimSpace(item)) {
+		h := unsafeHeader(req.Header).Get(name)
+		for {
+			pos := strings.Index(h, ",")
+			if pos == -1 {
+				return strings.EqualFold(value, strings.TrimSpace(h))
+			}
+
+			if strings.EqualFold(value, strings.TrimSpace(h[:pos])) {
 				return true
 			}
+
+			h = h[pos:]
 		}
-		return false
 	}
 	return containsHeader(connection, "upgrade") && containsHeader(upgrade, "websocket")
 }
@@ -110,7 +119,7 @@ func forwardedPort(req *http.Request) string {
 		return port
 	}
 
-	if req.Header.Get(xForwardedProto) == "https" || req.Header.Get(xForwardedProto) == "wss" {
+	if unsafeHeader(req.Header).Get(xForwardedProto) == "https" || unsafeHeader(req.Header).Get(xForwardedProto) == "wss" {
 		return "443"
 	}
 
@@ -125,38 +134,38 @@ func (x *XForwarded) rewrite(outreq *http.Request) {
 	if clientIP, _, err := net.SplitHostPort(outreq.RemoteAddr); err == nil {
 		clientIP = removeIPv6Zone(clientIP)
 
-		if outreq.Header.Get(xRealIP) == "" {
-			outreq.Header.Set(xRealIP, clientIP)
+		if unsafeHeader(outreq.Header).Get(xRealIP) == "" {
+			unsafeHeader(outreq.Header).Set(xRealIP, clientIP)
 		}
 	}
 
-	xfProto := outreq.Header.Get(xForwardedProto)
+	xfProto := unsafeHeader(outreq.Header).Get(xForwardedProto)
 	if xfProto == "" {
 		if isWebsocketRequest(outreq) {
 			if outreq.TLS != nil {
-				outreq.Header.Set(xForwardedProto, "wss")
+				unsafeHeader(outreq.Header).Set(xForwardedProto, "wss")
 			} else {
-				outreq.Header.Set(xForwardedProto, "ws")
+				unsafeHeader(outreq.Header).Set(xForwardedProto, "ws")
 			}
 		} else {
 			if outreq.TLS != nil {
-				outreq.Header.Set(xForwardedProto, "https")
+				unsafeHeader(outreq.Header).Set(xForwardedProto, "https")
 			} else {
-				outreq.Header.Set(xForwardedProto, "http")
+				unsafeHeader(outreq.Header).Set(xForwardedProto, "http")
 			}
 		}
 	}
 
-	if xfPort := outreq.Header.Get(xForwardedPort); xfPort == "" {
-		outreq.Header.Set(xForwardedPort, forwardedPort(outreq))
+	if xfPort := unsafeHeader(outreq.Header).Get(xForwardedPort); xfPort == "" {
+		unsafeHeader(outreq.Header).Set(xForwardedPort, forwardedPort(outreq))
 	}
 
-	if xfHost := outreq.Header.Get(xForwardedHost); xfHost == "" && outreq.Host != "" {
-		outreq.Header.Set(xForwardedHost, outreq.Host)
+	if xfHost := unsafeHeader(outreq.Header).Get(xForwardedHost); xfHost == "" && outreq.Host != "" {
+		unsafeHeader(outreq.Header).Set(xForwardedHost, outreq.Host)
 	}
 
 	if x.hostname != "" {
-		outreq.Header.Set(xForwardedServer, x.hostname)
+		unsafeHeader(outreq.Header).Set(xForwardedServer, x.hostname)
 	}
 }
 
@@ -164,7 +173,7 @@ func (x *XForwarded) rewrite(outreq *http.Request) {
 func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if !x.insecure && !x.isTrustedIP(r.RemoteAddr) {
 		for _, h := range xHeaders {
-			r.Header.Del(h)
+			unsafeHeader(r.Header).Del(h)
 		}
 	}
 
@@ -172,3 +181,22 @@ func (x *XForwarded) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	x.next.ServeHTTP(w, r)
 }
+
+// unsafeHeader allows to manage Header values.
+// Must be used only when the header name is already a canonical key.
+type unsafeHeader map[string][]string
+
+func (h unsafeHeader) Set(key, value string) {
+	h[key] = []string{value}
+}
+
+func (h unsafeHeader) Get(key string) string {
+	if len(h[key]) == 0 {
+		return ""
+	}
+	return h[key][0]
+}
+
+func (h unsafeHeader) Del(key string) {
+	delete(h, key)
+}

pkg/middlewares/recovery/recovery.go

@@ -10,42 +10,41 @@ import (
 )
 
 const (
-	typeName = "Recovery"
+	typeName       = "Recovery"
+	middlewareName = "traefik-internal-recovery"
 )
 
 type recovery struct {
 	next http.Handler
-	name string
 }
 
 // New creates recovery middleware.
-func New(ctx context.Context, next http.Handler, name string) (http.Handler, error) {
-	log.FromContext(middlewares.GetLoggerCtx(ctx, name, typeName)).Debug("Creating middleware")
+func New(ctx context.Context, next http.Handler) (http.Handler, error) {
+	log.FromContext(middlewares.GetLoggerCtx(ctx, middlewareName, typeName)).Debug("Creating middleware")
 
 	return &recovery{
 		next: next,
-		name: name,
 	}, nil
 }
 
 func (re *recovery) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
-	defer recoverFunc(middlewares.GetLoggerCtx(req.Context(), re.name, typeName), rw, req)
+	defer recoverFunc(rw, req)
 	re.next.ServeHTTP(rw, req)
 }
 
-func recoverFunc(ctx context.Context, rw http.ResponseWriter, r *http.Request) {
+func recoverFunc(rw http.ResponseWriter, r *http.Request) {
 	if err := recover(); err != nil {
+		logger := log.FromContext(middlewares.GetLoggerCtx(r.Context(), middlewareName, typeName))
 		if !shouldLogPanic(err) {
-			log.FromContext(ctx).Debugf("Request has been aborted [%s - %s]: %v", r.RemoteAddr, r.URL, err)
+			logger.Debugf("Request has been aborted [%s - %s]: %v", r.RemoteAddr, r.URL, err)
 			return
 		}
 
-		log.FromContext(ctx).Errorf("Recovered from panic in HTTP handler [%s - %s]: %+v", r.RemoteAddr, r.URL, err)
-
+		logger.Errorf("Recovered from panic in HTTP handler [%s - %s]: %+v", r.RemoteAddr, r.URL, err)
 		const size = 64 << 10
 		buf := make([]byte, size)
 		buf = buf[:runtime.Stack(buf, false)]
-		log.FromContext(ctx).Errorf("Stack: %s", buf)
+		logger.Errorf("Stack: %s", buf)
 
 		http.Error(rw, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 	}

pkg/middlewares/recovery/recovery_test.go

@@ -14,7 +14,7 @@ func TestRecoverHandler(t *testing.T) {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		panic("I love panicing!")
 	}
-	recovery, err := New(context.Background(), http.HandlerFunc(fn), "foo-recovery")
+	recovery, err := New(context.Background(), http.HandlerFunc(fn))
 	require.NoError(t, err)
 
 	server := httptest.NewServer(recovery)