add --proxy-host-header option
This commit is contained in:
parent
24ef555547
commit
263e16eeea
@ -72,6 +72,7 @@ Usage of google_auth_proxy:
|
||||
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
||||
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
|
||||
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
|
||||
-pass-host-header=true: pass the request Host Header to upstream
|
||||
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
|
||||
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
|
||||
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
|
||||
|
@ -14,6 +14,9 @@
|
||||
|
||||
## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
|
||||
# pass_basic_auth = true
|
||||
## pass the request Host Header to upstream
|
||||
## when disabled the upstream Host is used as the Host Header
|
||||
# pass_host_header = true
|
||||
|
||||
## Google Apps Domains to allow authentication for
|
||||
# google_apps_domains = [
|
||||
|
1
main.go
1
main.go
@ -29,6 +29,7 @@ func main() {
|
||||
flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
|
||||
flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint. If multiple, routing is based on path")
|
||||
flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
|
||||
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
|
||||
flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
|
||||
|
||||
flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
|
||||
|
@ -47,13 +47,14 @@ type OauthProxy struct {
|
||||
}
|
||||
|
||||
func NewReverseProxy(target *url.URL) (proxy *httputil.ReverseProxy) {
|
||||
proxy = httputil.NewSingleHostReverseProxy(target)
|
||||
return httputil.NewSingleHostReverseProxy(target)
|
||||
}
|
||||
func setProxyUpstreamHostHeader(proxy *httputil.ReverseProxy, target *url.URL) {
|
||||
director := proxy.Director
|
||||
proxy.Director = func(req *http.Request) {
|
||||
director(req)
|
||||
req.Host = target.Host
|
||||
}
|
||||
return proxy
|
||||
}
|
||||
|
||||
func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
|
||||
@ -64,7 +65,11 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
|
||||
path := u.Path
|
||||
u.Path = ""
|
||||
log.Printf("mapping path %q => upstream %q", path, u)
|
||||
serveMux.Handle(path, NewReverseProxy(u))
|
||||
proxy := NewReverseProxy(u)
|
||||
if !opts.PassHostHeader {
|
||||
setProxyUpstreamHostHeader(proxy, u)
|
||||
}
|
||||
serveMux.Handle(path, proxy)
|
||||
}
|
||||
for _, u := range opts.CompiledRegex {
|
||||
log.Printf("compiled skip-auth-regex => %q", u)
|
||||
|
@ -24,6 +24,7 @@ func TestNewReverseProxy(t *testing.T) {
|
||||
proxyURL, _ := url.Parse(backendURL.Scheme + "://" + backendHost + "/")
|
||||
|
||||
proxyHandler := NewReverseProxy(proxyURL)
|
||||
setProxyUpstreamHostHeader(proxyHandler, proxyURL)
|
||||
frontend := httptest.NewServer(proxyHandler)
|
||||
defer frontend.Close()
|
||||
|
||||
|
13
options.go
13
options.go
@ -14,18 +14,22 @@ type Options struct {
|
||||
RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"`
|
||||
ClientID string `flag:"client-id" cfg:"client_id" env:"GOOGLE_AUTH_PROXY_CLIENT_ID"`
|
||||
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"GOOGLE_AUTH_PROXY_CLIENT_SECRET"`
|
||||
PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
|
||||
|
||||
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
||||
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
|
||||
HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`
|
||||
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
|
||||
|
||||
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
|
||||
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
|
||||
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
|
||||
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"`
|
||||
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
||||
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
||||
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
|
||||
|
||||
Upstreams []string `flag:"upstream" cfg:"upstreams"`
|
||||
SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
|
||||
PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
|
||||
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"`
|
||||
|
||||
// internal values that are set after config validation
|
||||
redirectUrl *url.URL
|
||||
@ -39,8 +43,9 @@ func NewOptions() *Options {
|
||||
DisplayHtpasswdForm: true,
|
||||
CookieHttpsOnly: true,
|
||||
CookieHttpOnly: true,
|
||||
PassBasicAuth: true,
|
||||
CookieExpire: time.Duration(168) * time.Hour,
|
||||
PassBasicAuth: true,
|
||||
PassHostHeader: true,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,14 +1,14 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
"net/url"
|
||||
|
||||
"github.com/bmizerany/assert"
|
||||
)
|
||||
|
||||
func testOptions() (*Options) {
|
||||
func testOptions() *Options {
|
||||
o := NewOptions()
|
||||
o.Upstreams = append(o.Upstreams, "http://127.0.0.1:8080/")
|
||||
o.CookieSecret = "foobar"
|
||||
@ -17,7 +17,7 @@ func testOptions() (*Options) {
|
||||
return o
|
||||
}
|
||||
|
||||
func errorMsg(msgs []string)(string) {
|
||||
func errorMsg(msgs []string) string {
|
||||
result := make([]string, 0)
|
||||
result = append(result, "Invalid configuration:")
|
||||
result = append(result, msgs...)
|
||||
|
Loading…
Reference in New Issue
Block a user