Fix NTLM and Kerberos
This commit is contained in:
Julien Salleyron
GitHub
parent
8f9ad16f54
commit
e11ff98608
4 changed files with 161 additions and 3 deletions
|
|
@ -1,6 +1,7 @@
|
|||
package service
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
|
|
@ -8,6 +9,7 @@ import (
|
|||
"net"
|
||||
"net/http"
|
||||
"reflect"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
|
|
@ -149,10 +151,71 @@ func createRoundTripper(cfg *dynamic.ServersTransport) (http.RoundTripper, error
|
|||
|
||||
// Return directly HTTP/1.1 transport when HTTP/2 is disabled
|
||||
if cfg.DisableHTTP2 {
|
||||
return transport, nil
|
||||
return &KerberosRoundTripper{
|
||||
OriginalRoundTripper: transport,
|
||||
new: func() http.RoundTripper {
|
||||
return transport.Clone()
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
return newSmartRoundTripper(transport, cfg.ForwardingTimeouts)
|
||||
rt, err := newSmartRoundTripper(transport, cfg.ForwardingTimeouts)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &KerberosRoundTripper{
|
||||
OriginalRoundTripper: rt,
|
||||
new: func() http.RoundTripper {
|
||||
return rt.Clone()
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
|
||||
type KerberosRoundTripper struct {
|
||||
new func() http.RoundTripper
|
||||
OriginalRoundTripper http.RoundTripper
|
||||
}
|
||||
|
||||
type stickyRoundTripper struct {
|
||||
RoundTripper http.RoundTripper
|
||||
}
|
||||
|
||||
type transportKeyType string
|
||||
|
||||
var transportKey transportKeyType = "transport"
|
||||
|
||||
func AddTransportOnContext(ctx context.Context) context.Context {
|
||||
return context.WithValue(ctx, transportKey, &stickyRoundTripper{})
|
||||
}
|
||||
|
||||
func (k *KerberosRoundTripper) RoundTrip(request *http.Request) (*http.Response, error) {
|
||||
value, ok := request.Context().Value(transportKey).(*stickyRoundTripper)
|
||||
if !ok {
|
||||
return k.OriginalRoundTripper.RoundTrip(request)
|
||||
}
|
||||
|
||||
if value.RoundTripper != nil {
|
||||
return value.RoundTripper.RoundTrip(request)
|
||||
}
|
||||
|
||||
resp, err := k.OriginalRoundTripper.RoundTrip(request)
|
||||
|
||||
// If we found that we are authenticating with Kerberos (Negotiate) or NTLM.
|
||||
// We put a dedicated roundTripper in the ConnContext.
|
||||
// This will stick the next calls to the same connection with the backend.
|
||||
if err == nil && containsNTLMorNegotiate(resp.Header.Values("WWW-Authenticate")) {
|
||||
value.RoundTripper = k.new()
|
||||
}
|
||||
return resp, err
|
||||
}
|
||||
|
||||
func containsNTLMorNegotiate(h []string) bool {
|
||||
for _, s := range h {
|
||||
if strings.HasPrefix(s, "NTLM") || strings.HasPrefix(s, "Negotiate") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func createRootCACertPool(rootCAs []traefiktls.FileOrContent) *x509.CertPool {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue