extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2024-11-22 08:03:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

host match control in http frontend (#48)

Browse Source
This commit is contained in:
Michael Quigley 2022-09-06 15:23:36 -04:00
parent 8095128c91
commit 2004469d5f
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
2 changed files with 68 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
endpoints/frontend/config.go
View File

@ -6,8 +6,9 @@ import (
) )
type Config struct { type Config struct {
Identity string Identity string
Address string Address string
HostMatch string
} }
func DefaultConfig() *Config { func DefaultConfig() *Config {

124
endpoints/frontend/http.go
View File

@ -39,13 +39,13 @@ func NewHTTP(cfg *Config) (*httpListen, error) {
zTransport := http.DefaultTransport.(*http.Transport).Clone() zTransport := http.DefaultTransport.(*http.Transport).Clone()
zTransport.DialContext = zDialCtx.Dial zTransport.DialContext = zDialCtx.Dial
proxy, err := NewServiceProxy(zCtx) proxy, err := newServiceProxy(cfg, zCtx)
if err != nil { if err != nil {
return nil, err return nil, err
} }
proxy.Transport = zTransport proxy.Transport = zTransport
handler := basicAuth(util.NewProxyHandler(proxy), "zrok", zCtx) handler := basicAuth(util.NewProxyHandler(proxy), "zrok", cfg, zCtx)
return &httpListen{ return &httpListen{
cfg: cfg, cfg: cfg,
zCtx: zCtx, zCtx: zCtx,
@ -66,8 +66,8 @@ func (self *zitiDialContext) Dial(_ context.Context, _ string, addr string) (net
return self.ctx.Dial(svcName) return self.ctx.Dial(svcName)
} }
func NewServiceProxy(ctx ziti.Context) (*httputil.ReverseProxy, error) { func newServiceProxy(cfg *Config, ctx ziti.Context) (*httputil.ReverseProxy, error) {
proxy := hostTargetReverseProxy(ctx) proxy := hostTargetReverseProxy(cfg, ctx)
director := proxy.Director director := proxy.Director
proxy.Director = func(req *http.Request) { proxy.Director = func(req *http.Request) {
director(req) director(req)
@ -83,9 +83,9 @@ func NewServiceProxy(ctx ziti.Context) (*httputil.ReverseProxy, error) {
return proxy, nil return proxy, nil
} }
func hostTargetReverseProxy(ctx ziti.Context) *httputil.ReverseProxy { func hostTargetReverseProxy(cfg *Config, ctx ziti.Context) *httputil.ReverseProxy {
director := func(req *http.Request) { director := func(req *http.Request) {
targetSvc := resolveService(req.Host) targetSvc := resolveService(cfg.HostMatch, req.Host)
if svc, found := getRefreshedService(targetSvc, ctx); found { if svc, found := getRefreshedService(targetSvc, ctx); found {
if cfg, found := svc.Configs[model.ZrokProxyConfig]; found { if cfg, found := svc.Configs[model.ZrokProxyConfig]; found {
logrus.Debugf("auth model: %v", cfg) logrus.Debugf("auth model: %v", cfg)
@ -149,74 +149,78 @@ func singleJoiningSlash(a, b string) string {
return a + b return a + b
} }
func basicAuth(handler http.Handler, realm string, ctx ziti.Context) http.HandlerFunc { func basicAuth(handler http.Handler, realm string, cfg *Config, ctx ziti.Context) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
svcName := resolveService(r.Host) svcName := resolveService(cfg.HostMatch, r.Host)
if svc, found := getRefreshedService(svcName, ctx); found { if svcName != "" {
if cfg, found := svc.Configs[model.ZrokProxyConfig]; found { if svc, found := getRefreshedService(svcName, ctx); found {
if scheme, found := cfg["auth_scheme"]; found { if cfg, found := svc.Configs[model.ZrokProxyConfig]; found {
switch scheme { if scheme, found := cfg["auth_scheme"]; found {
case string(model.None): switch scheme {
logrus.Debugf("auth scheme none '%v'", svcName) case string(model.None):
handler.ServeHTTP(w, r) logrus.Debugf("auth scheme none '%v'", svcName)
return handler.ServeHTTP(w, r)
case string(model.Basic):
logrus.Debugf("auth scheme basic '%v", svcName)
inUser, inPass, ok := r.BasicAuth()
if !ok {
writeUnauthorizedResponse(w, realm)
return return
}
authed := false case string(model.Basic):
if v, found := cfg["basic_auth"]; found { logrus.Debugf("auth scheme basic '%v", svcName)
if basicAuth, ok := v.(map[string]interface{}); ok { inUser, inPass, ok := r.BasicAuth()
if v, found := basicAuth["users"]; found { if !ok {
if arr, ok := v.([]interface{}); ok { writeUnauthorizedResponse(w, realm)
for _, v := range arr { return
if um, ok := v.(map[string]interface{}); ok { }
username := "" authed := false
if v, found := um["username"]; found { if v, found := cfg["basic_auth"]; found {
if un, ok := v.(string); ok { if basicAuth, ok := v.(map[string]interface{}); ok {
username = un if v, found := basicAuth["users"]; found {
if arr, ok := v.([]interface{}); ok {
for _, v := range arr {
if um, ok := v.(map[string]interface{}); ok {
username := ""
if v, found := um["username"]; found {
if un, ok := v.(string); ok {
username = un
}
} }
} password := ""
password := "" if v, found := um["password"]; found {
if v, found := um["password"]; found { if pw, ok := v.(string); ok {
if pw, ok := v.(string); ok { password = pw
password = pw }
}
if username == inUser && password == inPass {
authed = true
break
} }
}
if username == inUser && password == inPass {
authed = true
break
} }
} }
} }
} }
} }
} }
}
if !authed { if !authed {
writeUnauthorizedResponse(w, realm)
return
}
handler.ServeHTTP(w, r)
default:
logrus.Infof("invalid auth scheme '%v'", scheme)
writeUnauthorizedResponse(w, realm) writeUnauthorizedResponse(w, realm)
return return
} }
handler.ServeHTTP(w, r) } else {
logrus.Infof("%v -> no auth scheme for '%v'", r.RemoteAddr, svcName)
default:
logrus.Infof("invalid auth scheme '%v'", scheme)
writeUnauthorizedResponse(w, realm)
return
} }
} else { } else {
logrus.Infof("%v -> no auth scheme for '%v'", r.RemoteAddr, svcName) logrus.Infof("%v -> no proxy config for '%v'", r.RemoteAddr, svcName)
} }
} else { } else {
logrus.Infof("%v -> no proxy config for '%v'", r.RemoteAddr, svcName) logrus.Infof("%v -> service '%v' not found", r.RemoteAddr, svcName)
} }
} else { } else {
logrus.Infof("%v -> service '%v' not found", r.RemoteAddr, svcName) logrus.Warnf("host '%v' did not match host match", r.Host)
} }
} }
} }
@ -227,13 +231,15 @@ func writeUnauthorizedResponse(w http.ResponseWriter, realm string) {
w.Write([]byte("No Authorization\n")) w.Write([]byte("No Authorization\n"))
} }
func resolveService(host string) string { func resolveService(hostMatch string, host string) string {
logrus.Debugf("host = '%v'", host) logrus.Debugf("host = '%v'", host)
tokens := strings.Split(host, ".") if hostMatch == "" || strings.Contains(hostMatch, host) {
if len(tokens) > 0 { tokens := strings.Split(host, ".")
return tokens[0] if len(tokens) > 0 {
return tokens[0]
}
} }
return "zrok" return ""
} }
func getRefreshedService(name string, ctx ziti.Context) (*edge.Service, bool) { func getRefreshedService(name string, ctx ziti.Context) (*edge.Service, bool) {