Commit 896251b1 authored by Adam Niedzielski's avatar Adam Niedzielski

Set correct value of X-Forwarded-For header in PreAuthorize request

parent 0fe5a09e
...@@ -157,6 +157,8 @@ func (api *API) newRequest(r *http.Request, body io.Reader, suffix string) (*htt ...@@ -157,6 +157,8 @@ func (api *API) newRequest(r *http.Request, body io.Reader, suffix string) (*htt
// configurations (Passenger) to solve auth request routing problems. // configurations (Passenger) to solve auth request routing problems.
authReq.Header.Set("Gitlab-Workhorse", api.Version) authReq.Header.Set("Gitlab-Workhorse", api.Version)
helper.SetForwardedFor(&authReq.Header, r)
tokenString, err := secret.JWTTokenString(secret.DefaultClaims) tokenString, err := secret.JWTTokenString(secret.DefaultClaims)
if err != nil { if err != nil {
return nil, fmt.Errorf("newRequest: sign JWT: %v", err) return nil, fmt.Errorf("newRequest: sign JWT: %v", err)
......
...@@ -3,10 +3,12 @@ package helper ...@@ -3,10 +3,12 @@ package helper
import ( import (
"errors" "errors"
"log" "log"
"net"
"net/http" "net/http"
"net/url" "net/url"
"os" "os"
"os/exec" "os/exec"
"strings"
"syscall" "syscall"
) )
...@@ -142,3 +144,19 @@ func DisableResponseBuffering(w http.ResponseWriter) { ...@@ -142,3 +144,19 @@ func DisableResponseBuffering(w http.ResponseWriter) {
func AllowResponseBuffering(w http.ResponseWriter) { func AllowResponseBuffering(w http.ResponseWriter) {
w.Header().Del(NginxResponseBufferHeader) w.Header().Del(NginxResponseBufferHeader)
} }
func SetForwardedFor(newHeaders *http.Header, originalRequest *http.Request) {
if clientIP, _, err := net.SplitHostPort(originalRequest.RemoteAddr); err == nil {
var header string
// If we aren't the first proxy retain prior
// X-Forwarded-For information as a comma+space
// separated list and fold multiple headers into one.
if prior, ok := originalRequest.Header["X-Forwarded-For"]; ok {
header = strings.Join(prior, ", ") + ", " + clientIP
} else {
header = clientIP
}
newHeaders.Set("X-Forwarded-For", header)
}
}
package helper
import (
"net/http"
"testing"
)
func TestSetForwardedForGeneratesHeader(t *testing.T) {
testCases := []struct {
remoteAddr string
previousForwardedFor []string
expected string
}{
{
"8.8.8.8:3000",
nil,
"8.8.8.8",
},
{
"8.8.8.8:3000",
[]string{"138.124.33.63, 151.146.211.237"},
"138.124.33.63, 151.146.211.237, 8.8.8.8",
},
{
"8.8.8.8:3000",
[]string{"8.154.76.107", "115.206.118.179"},
"8.154.76.107, 115.206.118.179, 8.8.8.8",
},
}
for _, tc := range testCases {
headers := http.Header{}
originalRequest := http.Request{
RemoteAddr: tc.remoteAddr,
}
if tc.previousForwardedFor != nil {
originalRequest.Header = http.Header{
"X-Forwarded-For": tc.previousForwardedFor,
}
}
SetForwardedFor(&headers, &originalRequest)
result := headers.Get("X-Forwarded-For")
if result != tc.expected {
t.Fatalf("Expected %v, got %v", tc.expected, result)
}
}
}
...@@ -2,9 +2,7 @@ package terminal ...@@ -2,9 +2,7 @@ package terminal
import ( import (
"log" "log"
"net"
"net/http" "net/http"
"strings"
"time" "time"
"github.com/gorilla/websocket" "github.com/gorilla/websocket"
...@@ -102,15 +100,7 @@ func pingLoop(conn Connection) { ...@@ -102,15 +100,7 @@ func pingLoop(conn Connection) {
func connectToServer(terminal *api.TerminalSettings, r *http.Request) (Connection, error) { func connectToServer(terminal *api.TerminalSettings, r *http.Request) (Connection, error) {
terminal = terminal.Clone() terminal = terminal.Clone()
// Pass along X-Forwarded-For, appending request.RemoteAddr, to the server helper.SetForwardedFor(&terminal.Header, r)
// we're connecting to.
if ip, _, err := net.SplitHostPort(r.RemoteAddr); err == nil {
if chains, ok := r.Header["X-Forwarded-For"]; ok {
terminal.Header.Set("X-Forwarded-For", strings.Join(chains, ", ")+", "+ip)
} else {
terminal.Header.Set("X-Forwarded-For", ip)
}
}
conn, _, err := terminal.Dial() conn, _, err := terminal.Dial()
if err != nil { if err != nil {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment