From 25f10511e7ef80c10493519499c479f6ffa49a0f Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Wed, 22 Jun 2022 15:01:57 -0400
Subject: reverseproxy: Fix panic when TLS is not configured (#4848)

* reverseproxy: Fix panic when TLS is not configured

* Refactor and simplify setScheme

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
---
 modules/caddyhttp/reverseproxy/httptransport.go | 39 +++++++++++++++----------
 1 file changed, 23 insertions(+), 16 deletions(-)

(limited to 'modules/caddyhttp/reverseproxy')

diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index 1fac420..94a0938 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -281,7 +281,7 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	repl := req.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
 	transport := h.replaceTLSServername(repl)
 
-	transport.SetScheme(req)
+	transport.setScheme(req)
 
 	// if H2C ("HTTP/2 over cleartext") is enabled and the upstream request is
 	// HTTP without TLS, use the alternate H2C-capable transport instead
@@ -292,27 +292,34 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	return transport.Transport.RoundTrip(req)
 }
 
-// SetScheme ensures that the outbound request req
+// setScheme ensures that the outbound request req
 // has the scheme set in its URL; the underlying
 // http.Transport requires a scheme to be set.
-func (h *HTTPTransport) SetScheme(req *http.Request) {
-	skipTLSport := false
-	if h.TLS.ExceptPorts != nil {
-		port := req.URL.Port()
-		for i := range h.TLS.ExceptPorts {
-			if h.TLS.ExceptPorts[i] == port {
-				skipTLSport = true
-				break
-			}
-		}
+func (h *HTTPTransport) setScheme(req *http.Request) {
+	if req.URL.Scheme != "" {
+		return
 	}
-
-	if req.URL.Scheme == "" {
+	if h.shouldUseTLS(req) {
+		req.URL.Scheme = "https"
+	} else {
 		req.URL.Scheme = "http"
-		if h.TLS != nil && !skipTLSport {
-			req.URL.Scheme = "https"
+	}
+}
+
+// shouldUseTLS returns true if TLS should be used for req.
+func (h *HTTPTransport) shouldUseTLS(req *http.Request) bool {
+	if h.TLS == nil {
+		return false
+	}
+
+	port := req.URL.Port()
+	for i := range h.TLS.ExceptPorts {
+		if h.TLS.ExceptPorts[i] == port {
+			return false
 		}
 	}
+
+	return true
 }
 
 // TLSEnabled returns true if TLS is enabled.
-- 
cgit v1.2.3