host match control in http frontend (#48)

2024-11-25 17:43:53 +01:00 · 2022-09-06 15:23:36 -04:00 · 2022-09-06 15:23:36 -04:00 · 2004469d5f
commit 2004469d5f
parent 8095128c91
2 changed files with 68 additions and 61 deletions
--- a/endpoints/frontend/config.go
+++ b/endpoints/frontend/config.go
@ -8,6 +8,7 @@ import (
 type Config struct {
 	Identity  string
 	Address   string
+	HostMatch string
 }

 func DefaultConfig() *Config {
--- a/endpoints/frontend/http.go
+++ b/endpoints/frontend/http.go
@ -39,13 +39,13 @@ func NewHTTP(cfg *Config) (*httpListen, error) {
 	zTransport := http.DefaultTransport.(*http.Transport).Clone()
 	zTransport.DialContext = zDialCtx.Dial

-	proxy, err := NewServiceProxy(zCtx)
+	proxy, err := newServiceProxy(cfg, zCtx)
 	if err != nil {
 		return nil, err
 	}
 	proxy.Transport = zTransport

-	handler := basicAuth(util.NewProxyHandler(proxy), "zrok", zCtx)
+	handler := basicAuth(util.NewProxyHandler(proxy), "zrok", cfg, zCtx)
 	return &httpListen{
 		cfg:     cfg,
 		zCtx:    zCtx,
@ -66,8 +66,8 @@ func (self *zitiDialContext) Dial(_ context.Context, _ string, addr string) (net
 	return self.ctx.Dial(svcName)
 }

-func NewServiceProxy(ctx ziti.Context) (*httputil.ReverseProxy, error) {
-	proxy := hostTargetReverseProxy(ctx)
+func newServiceProxy(cfg *Config, ctx ziti.Context) (*httputil.ReverseProxy, error) {
+	proxy := hostTargetReverseProxy(cfg, ctx)
 	director := proxy.Director
 	proxy.Director = func(req *http.Request) {
 		director(req)
@ -83,9 +83,9 @@ func NewServiceProxy(ctx ziti.Context) (*httputil.ReverseProxy, error) {
 	return proxy, nil
 }

-func hostTargetReverseProxy(ctx ziti.Context) *httputil.ReverseProxy {
+func hostTargetReverseProxy(cfg *Config, ctx ziti.Context) *httputil.ReverseProxy {
 	director := func(req *http.Request) {
-		targetSvc := resolveService(req.Host)
+		targetSvc := resolveService(cfg.HostMatch, req.Host)
 		if svc, found := getRefreshedService(targetSvc, ctx); found {
 			if cfg, found := svc.Configs[model.ZrokProxyConfig]; found {
 				logrus.Debugf("auth model: %v", cfg)
@ -149,9 +149,10 @@ func singleJoiningSlash(a, b string) string {
 	return a + b
 }

-func basicAuth(handler http.Handler, realm string, ctx ziti.Context) http.HandlerFunc {
+func basicAuth(handler http.Handler, realm string, cfg *Config, ctx ziti.Context) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		svcName := resolveService(r.Host)
+		svcName := resolveService(cfg.HostMatch, r.Host)
+		if svcName != "" {
 			if svc, found := getRefreshedService(svcName, ctx); found {
 				if cfg, found := svc.Configs[model.ZrokProxyConfig]; found {
 					if scheme, found := cfg["auth_scheme"]; found {
@ -218,6 +219,9 @@ func basicAuth(handler http.Handler, realm string, ctx ziti.Context) http.Handle
 			} else {
 				logrus.Infof("%v -> service '%v' not found", r.RemoteAddr, svcName)
 			}
+		} else {
+			logrus.Warnf("host '%v' did not match host match", r.Host)
+		}
 	}
 }

@ -227,13 +231,15 @@ func writeUnauthorizedResponse(w http.ResponseWriter, realm string) {
 	w.Write([]byte("No Authorization\n"))
 }

-func resolveService(host string) string {
+func resolveService(hostMatch string, host string) string {
 	logrus.Debugf("host = '%v'", host)
+	if hostMatch == "" || strings.Contains(hostMatch, host) {
 		tokens := strings.Split(host, ".")
 		if len(tokens) > 0 {
 			return tokens[0]
 		}
-	return "zrok"
+	}
+	return ""
 }

 func getRefreshedService(name string, ctx ziti.Context) (*edge.Service, bool) {