Merge pull request #1 from plamorg/xforward

Xforward

Author: claby2

integration/examples/examples_test.go

@@ -12,6 +12,7 @@ func TestExamples(t *testing.T) {
 	examples := []string{
 		"./middlewares/auth-forward.yml",
 		"./middlewares/ip-allow.yml",
+		"./middlewares/x-forward.yml",
 		"./additional-configuration.yml",
 		"./basic.yml",
 		"./health-check.yml",

integration/examples/middlewares/auth-forward.yml

@@ -19,26 +19,3 @@ services:
 
         # Forward X-Forwarded-* headers to the authentication server.
         xForwarded: true # Default: false.
-
-  # === Integrating with Authelia ===
-  # The authForward middleware allows the use of external authenticators like Authelia to work with voltproxy proxied services.
-  # Here is an example:
-  # 1. Firstly, proxy the Authelia service:
-  authelia:
-    host: authelia.example.com
-    tls: true
-    # Redirect to local Authelia instance. Alternatively, specify container service if it's running in a Docker container.
-    redirect: "http://172.22.0.2:9091"
-
-  # 2. Proxy the service you want to protect with Authelia.
-  protected:
-    host: protected.example.com
-    tls: true
-    redirect: "http://localhost:3000"
-    middlewares:
-      # Specify authForward middleware on the to-be-protected service.
-      authForward:
-        address: "https://authelia.example.com/api/verify?rd=https://authelia.example.com"
-        responseHeaders:
-          ["Remote-User", "Remote-Groups", "Remote-Name", "Remote-Email"]
-        xForwarded: true

integration/examples/middlewares/x-forward.yml

@@ -0,0 +1,9 @@
+# The xForward middleware is used to forward X-Forwarded-* headers to an upstream service.
+
+services:
+  secureService:
+    host: private.example.com
+    redirect: "http://172.3.2.1:4321"
+    middlewares:
+      xForward:
+        enable: true

integration/integration_test.go

@@ -228,7 +228,7 @@ services:
 	defer res.Body.Close()
 
 	if res.StatusCode != http.StatusForbidden {
-		t.Fatalf("expected status code %d, got %d", http.StatusOK, res.StatusCode)
+		t.Fatalf("expected status code %d, got %d", http.StatusForbidden, res.StatusCode)
 	}
 
 	if !authServerRan {
@@ -446,3 +446,29 @@ services:
 		t.Fatalf("expected status codes %v, got %v", expected, received)
 	}
 }
+
+func TestXForward(t *testing.T) {
+	server := NewMockServer(t, func(w http.ResponseWriter, r *http.Request) {
+		if r.Header.Get("X-Forwarded-Host") == "" {
+			t.Errorf("expected X-Forwarded-Host header to be set")
+		}
+		w.WriteHeader(http.StatusOK)
+	})
+
+	conf := fmt.Sprintf(`
+services:
+  server:
+    host: server.example.com
+    redirect: "%s"
+    middlewares:
+      xForward:
+        enable: true`, server.URL())
+	i := NewInstance(t, []byte(conf), nil)
+
+	res := i.RequestHost("server.example.com")
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		t.Fatalf("expected status code %d, got %d", http.StatusOK, res.StatusCode)
+	}
+}

middlewares/authforward.go

@@ -2,26 +2,9 @@ package middlewares
 
 import (
 	"log/slog"
-	"net"
 	"net/http"
 )
 
-const (
-	xForwardedFor    = "X-Forwarded-For"
-	xForwardedMethod = "X-Forwarded-Method"
-	xForwardedProto  = "X-Forwarded-Proto"
-	xForwardedHost   = "X-Forwarded-Host"
-	xForwardedURI    = "X-Forwarded-Uri"
-)
-
-var xForwardedHeaders = []string{
-	xForwardedFor,
-	xForwardedMethod,
-	xForwardedProto,
-	xForwardedHost,
-	xForwardedURI,
-}
-
 // AuthForward is a middleware that forwards the request to an authentication server and
 // proxies to the service if the authentication is successful.
 type AuthForward struct {
@@ -68,18 +51,7 @@ func (a *AuthForward) Handle(next http.Handler) http.Handler {
 		}
 
 		if a.XForwarded {
-			host, _, err := net.SplitHostPort(r.RemoteAddr)
-			if err == nil {
-				authReq.Header.Set(xForwardedFor, host)
-			}
-			authReq.Header.Set(xForwardedMethod, r.Method)
-			if r.TLS != nil {
-				authReq.Header.Set(xForwardedProto, "https")
-			} else {
-				authReq.Header.Set(xForwardedProto, "http")
-			}
-			authReq.Header.Set(xForwardedHost, r.Host)
-			authReq.Header.Set(xForwardedURI, r.RequestURI)
+			xForward(authReq, *r)
 		} else {
 			for _, header := range xForwardedHeaders {
 				authReq.Header.Del(header)

middlewares/middleware.go

@@ -10,6 +10,7 @@ import (
 type Middlewares struct {
 	IPAllow     *IPAllow     `yaml:"ipAllow"`
 	AuthForward *AuthForward `yaml:"authForward"`
+	XForward    *XForward    `yaml:"xForward"`
 }
 
 // List returns a list of middlewares that are not nil.

middlewares/xforward.go

@@ -0,0 +1,63 @@
+package middlewares
+
+import (
+	"log/slog"
+	"net"
+	"net/http"
+)
+
+const (
+	xForwardedFor    = "X-Forwarded-For"
+	xForwardedMethod = "X-Forwarded-Method"
+	xForwardedProto  = "X-Forwarded-Proto"
+	xForwardedHost   = "X-Forwarded-Host"
+	xForwardedURI    = "X-Forwarded-Uri"
+)
+
+var xForwardedHeaders = []string{
+	xForwardedFor,
+	xForwardedMethod,
+	xForwardedProto,
+	xForwardedHost,
+	xForwardedURI,
+}
+
+// XForward is a middleware that adds X-Forwarded headers to the request.
+type XForward struct {
+	Enable bool `yaml:"enable"`
+}
+
+func xForward(newReq *http.Request, r http.Request) {
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err == nil {
+		newReq.Header.Set(xForwardedFor, host)
+	}
+	newReq.Header.Set(xForwardedMethod, r.Method)
+	if r.TLS != nil {
+		newReq.Header.Set(xForwardedProto, "https")
+	} else {
+		newReq.Header.Set(xForwardedProto, "http")
+	}
+	newReq.Header.Set(xForwardedHost, r.Host)
+	newReq.Header.Set(xForwardedURI, r.RequestURI)
+}
+
+// Handle adds X-Forwarded headers to the request.
+func (x *XForward) Handle(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		logger := slog.Default().With(
+			slog.String("host", r.Host),
+			slog.Any("xForward", x))
+
+		if !x.Enable {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		xForward(r, *r)
+
+		logger.Debug("Added X-Forwarded headers")
+
+		next.ServeHTTP(w, r)
+	})
+}

middlewares/xforward_test.go

@@ -0,0 +1,53 @@
+package middlewares
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+func TestXForwardDisable(t *testing.T) {
+	x := XForward{
+		Enable: false,
+	}
+
+	server := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for _, header := range xForwardedHeaders {
+			if r.Header.Get(header) != "" {
+				t.Errorf("expected empty header %s, got %s", header, r.Header.Get(header))
+			}
+		}
+	})
+
+	handler := x.Handle(server)
+
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/", nil)
+	handler.ServeHTTP(w, r)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected %d, got %d", http.StatusOK, w.Code)
+	}
+}
+
+func TestXForwardEnable(t *testing.T) {
+	x := XForward{
+		Enable: true,
+	}
+
+	server := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		for _, header := range xForwardedHeaders {
+			if r.Header.Get(header) == "" {
+				t.Errorf("expected non-empty header %s", header)
+			}
+		}
+	})
+
+	handler := x.Handle(server)
+
+	w, r := httptest.NewRecorder(), httptest.NewRequest(http.MethodGet, "/", nil)
+	handler.ServeHTTP(w, r)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected %d, got %d", http.StatusOK, w.Code)
+	}
+}