diff options
| author | Matt Holt <mholt@users.noreply.github.com> | 2022-10-04 23:37:01 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-10-05 01:37:01 -0400 |
| commit | 2153a81ec85da99dcd33aa87ff0df5d286f00e9d (patch) | |
| tree | c0b07ef01f1122f46d1f1a395b5dc5523cdacaef /modules | |
| parent | ea58d519078916d4cf273628653e348befbaf6c0 (diff) | |
forwardauth: Canonicalize header fields (fix #5038) (#5097)
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go | 39 |
1 files changed, 18 insertions, 21 deletions
diff --git a/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go b/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go index a0b1f42..cecc000 100644 --- a/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go +++ b/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go @@ -38,29 +38,28 @@ func init() { // configured for most™️ auth gateways that support forward auth. The typical // config which looks something like this: // -// forward_auth auth-gateway:9091 { -// uri /authenticate?redirect=https://auth.example.com -// copy_headers Remote-User Remote-Email -// } +// forward_auth auth-gateway:9091 { +// uri /authenticate?redirect=https://auth.example.com +// copy_headers Remote-User Remote-Email +// } // // is equivalent to a reverse_proxy directive like this: // -// reverse_proxy auth-gateway:9091 { -// method GET -// rewrite /authenticate?redirect=https://auth.example.com +// reverse_proxy auth-gateway:9091 { +// method GET +// rewrite /authenticate?redirect=https://auth.example.com // -// header_up X-Forwarded-Method {method} -// header_up X-Forwarded-Uri {uri} -// -// @good status 2xx -// handle_response @good { -// request_header { -// Remote-User {http.reverse_proxy.header.Remote-User} -// Remote-Email {http.reverse_proxy.header.Remote-Email} -// } -// } -// } +// header_up X-Forwarded-Method {method} +// header_up X-Forwarded-Uri {uri} // +// @good status 2xx +// handle_response @good { +// request_header { +// Remote-User {http.reverse_proxy.header.Remote-User} +// Remote-Email {http.reverse_proxy.header.Remote-Email} +// } +// } +// } func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) { if !h.Next() { return nil, h.ArgErr() @@ -196,9 +195,7 @@ func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) // need at least one handler in the routes for the response handling // logic in reverse_proxy to not skip this entry as empty. for from, to := range headersToCopy { - handler.Request.Set[to] = []string{ - "{http.reverse_proxy.header." + from + "}", - } + handler.Request.Set.Set(to, "{http.reverse_proxy.header."+http.CanonicalHeaderKey(from)+"}") } goodResponseHandler.Routes = append( |