1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package headers
import (
"fmt"
"net/http"
"regexp"
"strings"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
)
func init() {
caddy.RegisterModule(Handler{})
}
// Handler is a middleware which modifies request and response headers.
//
// Changes to headers are applied immediately, except for the response
// headers when Deferred is true or when Required is set. In those cases,
// the changes are applied when the headers are written to the response.
// Note that deferred changes do not take effect if an error occurs later
// in the middleware chain.
//
// Properties in this module accept placeholders.
//
// Response header operations can be conditioned upon response status code
// and/or other header values.
type Handler struct {
Request *HeaderOps `json:"request,omitempty"`
Response *RespHeaderOps `json:"response,omitempty"`
}
// CaddyModule returns the Caddy module information.
func (Handler) CaddyModule() caddy.ModuleInfo {
return caddy.ModuleInfo{
ID: "http.handlers.headers",
New: func() caddy.Module { return new(Handler) },
}
}
// Provision sets up h's configuration.
func (h *Handler) Provision(ctx caddy.Context) error {
if h.Request != nil {
err := h.Request.Provision(ctx)
if err != nil {
return err
}
}
if h.Response != nil {
err := h.Response.Provision(ctx)
if err != nil {
return err
}
}
return nil
}
// Validate ensures h's configuration is valid.
func (h Handler) Validate() error {
if h.Request != nil {
err := h.Request.validate()
if err != nil {
return err
}
}
if h.Response != nil {
err := h.Response.validate()
if err != nil {
return err
}
}
return nil
}
func (h Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
if h.Request != nil {
h.Request.ApplyToRequest(r)
}
if h.Response != nil {
if h.Response.Deferred || h.Response.Require != nil {
w = &responseWriterWrapper{
ResponseWriterWrapper: &caddyhttp.ResponseWriterWrapper{ResponseWriter: w},
replacer: repl,
require: h.Response.Require,
headerOps: h.Response.HeaderOps,
}
} else {
h.Response.ApplyTo(w.Header(), repl)
}
}
return next.ServeHTTP(w, r)
}
// HeaderOps defines manipulations for HTTP headers.
type HeaderOps struct {
// Adds HTTP headers; does not replace any existing header fields.
Add http.Header `json:"add,omitempty"`
// Sets HTTP headers; replaces existing header fields.
Set http.Header `json:"set,omitempty"`
// Names of HTTP header fields to delete. Basic wildcards are supported:
//
// - Start with `*` for all field names with the given suffix;
// - End with `*` for all field names with the given prefix;
// - Start and end with `*` for all field names containing a substring.
Delete []string `json:"delete,omitempty"`
// Performs in-situ substring replacements of HTTP headers.
// Keys are the field names on which to perform the associated replacements.
// If the field name is `*`, the replacements are performed on all header fields.
Replace map[string][]Replacement `json:"replace,omitempty"`
}
// Provision sets up the header operations.
func (ops *HeaderOps) Provision(_ caddy.Context) error {
for fieldName, replacements := range ops.Replace {
for i, r := range replacements {
if r.SearchRegexp != "" {
re, err := regexp.Compile(r.SearchRegexp)
if err != nil {
return fmt.Errorf("replacement %d for header field '%s': %v", i, fieldName, err)
}
replacements[i].re = re
}
}
}
return nil
}
func (ops HeaderOps) validate() error {
for fieldName, replacements := range ops.Replace {
for _, r := range replacements {
if r.Search != "" && r.SearchRegexp != "" {
return fmt.Errorf("cannot specify both a substring search and a regular expression search for field '%s'", fieldName)
}
}
}
return nil
}
// Replacement describes a string replacement,
// either a simple and fast substring search
// or a slower but more powerful regex search.
type Replacement struct {
// The substring to search for.
Search string `json:"search,omitempty"`
// The regular expression to search with.
SearchRegexp string `json:"search_regexp,omitempty"`
// The string with which to replace matches.
Replace string `json:"replace,omitempty"`
re *regexp.Regexp
}
// RespHeaderOps defines manipulations for response headers.
type RespHeaderOps struct {
*HeaderOps
// If set, header operations will be deferred until
// they are written out and only performed if the
// response matches these criteria.
Require *caddyhttp.ResponseMatcher `json:"require,omitempty"`
// If true, header operations will be deferred until
// they are written out. Superceded if Require is set.
// Usually you will need to set this to true if any
// fields are being deleted.
Deferred bool `json:"deferred,omitempty"`
}
// ApplyTo applies ops to hdr using repl.
func (ops HeaderOps) ApplyTo(hdr http.Header, repl *caddy.Replacer) {
// before manipulating headers in other ways, check if there
// is configuration to delete all headers, and do that first
// because if a header is to be added, we don't want to delete
// it also
for _, fieldName := range ops.Delete {
fieldName = repl.ReplaceKnown(fieldName, "")
if fieldName == "*" {
for existingField := range hdr {
delete(hdr, existingField)
}
}
}
// add
for fieldName, vals := range ops.Add {
fieldName = repl.ReplaceKnown(fieldName, "")
for _, v := range vals {
hdr.Add(fieldName, repl.ReplaceKnown(v, ""))
}
}
// set
for fieldName, vals := range ops.Set {
fieldName = repl.ReplaceKnown(fieldName, "")
var newVals []string
for i := range vals {
// append to new slice so we don't overwrite
// the original values in ops.Set
newVals = append(newVals, repl.ReplaceKnown(vals[i], ""))
}
hdr.Set(fieldName, strings.Join(newVals, ","))
}
// delete
for _, fieldName := range ops.Delete {
fieldName = strings.ToLower(repl.ReplaceKnown(fieldName, ""))
if fieldName == "*" {
continue // handled above
}
switch {
case strings.HasPrefix(fieldName, "*") && strings.HasSuffix(fieldName, "*"):
for existingField := range hdr {
if strings.Contains(strings.ToLower(existingField), fieldName[1:len(fieldName)-1]) {
delete(hdr, existingField)
}
}
case strings.HasPrefix(fieldName, "*"):
for existingField := range hdr {
if strings.HasSuffix(strings.ToLower(existingField), fieldName[1:]) {
delete(hdr, existingField)
}
}
case strings.HasSuffix(fieldName, "*"):
for existingField := range hdr {
if strings.HasPrefix(strings.ToLower(existingField), fieldName[:len(fieldName)-1]) {
delete(hdr, existingField)
}
}
default:
hdr.Del(fieldName)
}
}
// replace
for fieldName, replacements := range ops.Replace {
fieldName = http.CanonicalHeaderKey(repl.ReplaceKnown(fieldName, ""))
// all fields...
if fieldName == "*" {
for _, r := range replacements {
search := repl.ReplaceKnown(r.Search, "")
replace := repl.ReplaceKnown(r.Replace, "")
for fieldName, vals := range hdr {
for i := range vals {
if r.re != nil {
hdr[fieldName][i] = r.re.ReplaceAllString(hdr[fieldName][i], replace)
} else {
hdr[fieldName][i] = strings.ReplaceAll(hdr[fieldName][i], search, replace)
}
}
}
}
continue
}
// ...or only with the named field
for _, r := range replacements {
search := repl.ReplaceKnown(r.Search, "")
replace := repl.ReplaceKnown(r.Replace, "")
for hdrFieldName, vals := range hdr {
// see issue #4330 for why we don't simply use hdr[fieldName]
if http.CanonicalHeaderKey(hdrFieldName) != fieldName {
continue
}
for i := range vals {
if r.re != nil {
hdr[hdrFieldName][i] = r.re.ReplaceAllString(hdr[hdrFieldName][i], replace)
} else {
hdr[hdrFieldName][i] = strings.ReplaceAll(hdr[hdrFieldName][i], search, replace)
}
}
}
}
}
}
// ApplyToRequest applies ops to r, specially handling the Host
// header which the standard library does not include with the
// header map with all the others. This method mutates r.Host.
func (ops HeaderOps) ApplyToRequest(r *http.Request) {
repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
// capture the current Host header so we can
// reset to it when we're done
origHost, hadHost := r.Header["Host"]
// append r.Host; this way, we know that our value
// was last in the list, and if an Add operation
// appended something else after it, that's probably
// fine because it's weird to have multiple Host
// headers anyway and presumably the one they added
// is the one they wanted
r.Header["Host"] = append(r.Header["Host"], r.Host)
// apply header operations
ops.ApplyTo(r.Header, repl)
// retrieve the last Host value (likely the one we appended)
if len(r.Header["Host"]) > 0 {
r.Host = r.Header["Host"][len(r.Header["Host"])-1]
} else {
r.Host = ""
}
// reset the Host header slice
if hadHost {
r.Header["Host"] = origHost
} else {
delete(r.Header, "Host")
}
}
// responseWriterWrapper defers response header
// operations until WriteHeader is called.
type responseWriterWrapper struct {
*caddyhttp.ResponseWriterWrapper
replacer *caddy.Replacer
require *caddyhttp.ResponseMatcher
headerOps *HeaderOps
wroteHeader bool
}
func (rww *responseWriterWrapper) WriteHeader(status int) {
if rww.wroteHeader {
return
}
// 1xx responses aren't final; just informational
if status < 100 || status > 199 {
rww.wroteHeader = true
}
if rww.require == nil || rww.require.Match(status, rww.ResponseWriterWrapper.Header()) {
if rww.headerOps != nil {
rww.headerOps.ApplyTo(rww.ResponseWriterWrapper.Header(), rww.replacer)
}
}
rww.ResponseWriterWrapper.WriteHeader(status)
}
func (rww *responseWriterWrapper) Write(d []byte) (int, error) {
if !rww.wroteHeader {
rww.WriteHeader(http.StatusOK)
}
return rww.ResponseWriterWrapper.Write(d)
}
// Interface guards
var (
_ caddy.Provisioner = (*Handler)(nil)
_ caddyhttp.MiddlewareHandler = (*Handler)(nil)
_ http.ResponseWriter = (*responseWriterWrapper)(nil)
)
|