diff --git a/glide.lock b/glide.lock index 3c13cfee5..3fba40f38 100644 --- a/glide.lock +++ b/glide.lock @@ -1,5 +1,5 @@ -hash: ed8bed99f9096c408e34756a9c8eafd366d66f624a3e75a3fe7f84a2c5c98fa1 -updated: 2017-09-30T18:32:16.848940186+02:00 +hash: 45cf1c60c4c2c584ee9514e24dee16debb8e88e59517a4b82ec91600b8904dfe +updated: 2017-10-23T15:19:16.848940186+02:00 imports: - name: cloud.google.com/go version: 2e6a95edb1071d750f6d7db777bf66cd2997af6c @@ -481,7 +481,7 @@ imports: - name: github.com/urfave/negroni version: 490e6a555d47ca891a89a150d0c1ef3922dfffe9 - name: github.com/vulcand/oxy - version: 4b280f86f847bcdfd921dd1ffa9ae7949dc855ee + version: c66eb2065193ca9264781f951e92c245b2ec81c2 repo: https://github.com/containous/oxy.git vcs: git subpackages: diff --git a/glide.yaml b/glide.yaml index 6d4746f15..fbefa3782 100644 --- a/glide.yaml +++ b/glide.yaml @@ -12,7 +12,7 @@ import: - package: github.com/cenk/backoff - package: github.com/containous/flaeg - package: github.com/vulcand/oxy - version: 4b280f86f847bcdfd921dd1ffa9ae7949dc855ee + version: c66eb2065193ca9264781f951e92c245b2ec81c2 repo: https://github.com/containous/oxy.git vcs: git subpackages: diff --git a/vendor/github.com/vulcand/oxy/forward/headers.go b/vendor/github.com/vulcand/oxy/forward/headers.go index 6d83c68cc..629421551 100644 --- a/vendor/github.com/vulcand/oxy/forward/headers.go +++ b/vendor/github.com/vulcand/oxy/forward/headers.go @@ -6,6 +6,7 @@ const ( XForwardedHost = "X-Forwarded-Host" XForwardedPort = "X-Forwarded-Port" XForwardedServer = "X-Forwarded-Server" + XRealIp = "X-Real-Ip" Connection = "Connection" KeepAlive = "Keep-Alive" ProxyAuthenticate = "Proxy-Authenticate" @@ -50,3 +51,12 @@ var WebsocketUpgradeHeaders = []string{ Connection, SecWebsocketAccept, } + +var XHeaders = []string{ + XForwardedProto, + XForwardedFor, + XForwardedHost, + XForwardedPort, + XForwardedServer, + XRealIp, +} diff --git a/vendor/github.com/vulcand/oxy/forward/rewrite.go b/vendor/github.com/vulcand/oxy/forward/rewrite.go index b54e8bfdb..6a39241f2 100644 --- a/vendor/github.com/vulcand/oxy/forward/rewrite.go +++ b/vendor/github.com/vulcand/oxy/forward/rewrite.go @@ -15,30 +15,36 @@ type HeaderRewriter struct { } func (rw *HeaderRewriter) Rewrite(req *http.Request) { + if !rw.TrustForwardHeader { + utils.RemoveHeaders(req.Header, XHeaders...) + } + if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil { - if rw.TrustForwardHeader { - if prior, ok := req.Header[XForwardedFor]; ok { - clientIP = strings.Join(prior, ", ") + ", " + clientIP - } + if prior, ok := req.Header[XForwardedFor]; ok { + req.Header.Set(XForwardedFor, strings.Join(prior, ", ")+", "+clientIP) + } else { + req.Header.Set(XForwardedFor, clientIP) + } + + if req.Header.Get(XRealIp) == "" { + req.Header.Set(XRealIp, clientIP) } - req.Header.Set(XForwardedFor, clientIP) } - if xfp := req.Header.Get(XForwardedProto); xfp != "" && rw.TrustForwardHeader { - req.Header.Set(XForwardedProto, xfp) - } else if req.TLS != nil { - req.Header.Set(XForwardedProto, "https") - } else { - req.Header.Set(XForwardedProto, "http") + xfProto := req.Header.Get(XForwardedProto) + if xfProto == "" { + if req.TLS != nil { + req.Header.Set(XForwardedProto, "https") + } else { + req.Header.Set(XForwardedProto, "http") + } } - if xfp := req.Header.Get(XForwardedPort); xfp != "" && rw.TrustForwardHeader { - req.Header.Set(XForwardedPort, xfp) + if xfp := req.Header.Get(XForwardedPort); xfp == "" { + req.Header.Set(XForwardedPort, forwardedPort(req)) } - if xfh := req.Header.Get(XForwardedHost); xfh != "" && rw.TrustForwardHeader { - req.Header.Set(XForwardedHost, xfh) - } else if req.Host != "" { + if xfHost := req.Header.Get(XForwardedHost); xfHost == "" && req.Host != "" { req.Header.Set(XForwardedHost, req.Host) } @@ -50,3 +56,19 @@ func (rw *HeaderRewriter) Rewrite(req *http.Request) { // connection, regardless of what the client sent to us. utils.RemoveHeaders(req.Header, HopHeaders...) } + +func forwardedPort(req *http.Request) string { + if req == nil { + return "" + } + + if _, port, err := net.SplitHostPort(req.Host); err == nil && port != "" { + return port + } + + if req.TLS != nil { + return "443" + } + + return "80" +}