Add TrustForwardHeader options.

2017-10-16 12:46:03 +02:00 · 2017-10-16 12:46:03 +02:00 · aa308b7a3a
commit aa308b7a3a
parent 9598f646f5
10 changed files with 265 additions and 40 deletions
--- a/server/header_rewriter.go
+++ b/server/header_rewriter.go
@ -0,0 +1,51 @@
+package server
+
+import (
+	"net"
+	"net/http"
+	"os"
+
+	"github.com/containous/traefik/whitelist"
+	"github.com/vulcand/oxy/forward"
+)
+
+// NewHeaderRewriter Create a header rewriter
+func NewHeaderRewriter(trustedIPs []string, insecure bool) (forward.ReqRewriter, error) {
+	IPs, err := whitelist.NewIP(trustedIPs, insecure)
+	if err != nil {
+		return nil, err
+	}
+
+	h, err := os.Hostname()
+	if err != nil {
+		h = "localhost"
+	}
+
+	return &headerRewriter{
+		secureRewriter:   &forward.HeaderRewriter{TrustForwardHeader: true, Hostname: h},
+		insecureRewriter: &forward.HeaderRewriter{TrustForwardHeader: false, Hostname: h},
+		ips:              IPs,
+		insecure:         insecure,
+	}, nil
+}
+
+type headerRewriter struct {
+	secureRewriter   forward.ReqRewriter
+	insecureRewriter forward.ReqRewriter
+	insecure         bool
+	ips              *whitelist.IP
+}
+
+func (h *headerRewriter) Rewrite(req *http.Request) {
+	clientIP, _, err := net.SplitHostPort(req.RemoteAddr)
+	if err != nil {
+		h.secureRewriter.Rewrite(req)
+	}
+
+	authorized, _, err := h.ips.Contains(clientIP)
+	if h.insecure || authorized {
+		h.secureRewriter.Rewrite(req)
+	} else {
+		h.insecureRewriter.Rewrite(req)
+	}
+}