2021-09-08 18:04:56 +00:00
|
|
|
package proxyv2
|
|
|
|
|
|
|
|
import (
|
2021-11-13 21:44:52 +00:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2021-09-08 18:04:56 +00:00
|
|
|
"net/http"
|
2021-11-10 16:16:13 +00:00
|
|
|
"strings"
|
2021-09-08 18:04:56 +00:00
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
2022-02-01 09:14:46 +00:00
|
|
|
"goauthentik.io/api"
|
2022-01-18 22:19:43 +00:00
|
|
|
"goauthentik.io/internal/outpost/proxyv2/application"
|
2021-09-08 18:04:56 +00:00
|
|
|
"goauthentik.io/internal/outpost/proxyv2/metrics"
|
|
|
|
"goauthentik.io/internal/utils/web"
|
2021-12-17 19:49:32 +00:00
|
|
|
staticWeb "goauthentik.io/web"
|
2021-09-08 18:04:56 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func (ps *ProxyServer) HandlePing(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
before := time.Now()
|
|
|
|
rw.WriteHeader(204)
|
|
|
|
after := time.Since(before)
|
|
|
|
metrics.Requests.With(prometheus.Labels{
|
2021-09-16 08:03:31 +00:00
|
|
|
"outpost_name": ps.akAPI.Outpost.Name,
|
|
|
|
"method": r.Method,
|
2021-11-10 16:16:13 +00:00
|
|
|
"scheme": r.URL.Scheme,
|
2021-09-16 08:03:31 +00:00
|
|
|
"path": r.URL.Path,
|
|
|
|
"host": web.GetHost(r),
|
|
|
|
"type": "ping",
|
|
|
|
"user": "",
|
2021-09-08 18:04:56 +00:00
|
|
|
}).Observe(float64(after))
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ps *ProxyServer) HandleStatic(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
before := time.Now()
|
2022-02-08 19:25:38 +00:00
|
|
|
web.DisableIndex(http.StripPrefix("/outpost.goauthentik.io/static/dist", staticWeb.StaticHandler)).ServeHTTP(rw, r)
|
2021-09-08 18:04:56 +00:00
|
|
|
after := time.Since(before)
|
|
|
|
metrics.Requests.With(prometheus.Labels{
|
2021-09-16 08:03:31 +00:00
|
|
|
"outpost_name": ps.akAPI.Outpost.Name,
|
|
|
|
"method": r.Method,
|
2021-11-10 16:16:13 +00:00
|
|
|
"scheme": r.URL.Scheme,
|
2021-09-16 08:03:31 +00:00
|
|
|
"path": r.URL.Path,
|
|
|
|
"host": web.GetHost(r),
|
|
|
|
"type": "ping",
|
|
|
|
"user": "",
|
2021-09-08 18:04:56 +00:00
|
|
|
}).Observe(float64(after))
|
|
|
|
}
|
|
|
|
|
2022-01-18 22:19:43 +00:00
|
|
|
func (ps *ProxyServer) lookupApp(r *http.Request) (*application.Application, string) {
|
|
|
|
host := web.GetHost(r)
|
|
|
|
// Try to find application by directly looking up host first (proxy, forward_auth_single)
|
|
|
|
a, ok := ps.apps[host]
|
|
|
|
if ok {
|
2022-01-19 18:01:24 +00:00
|
|
|
ps.log.WithField("host", host).WithField("app", a.ProxyConfig().Name).Debug("Found app based direct host match")
|
2022-01-18 22:19:43 +00:00
|
|
|
return a, host
|
|
|
|
}
|
|
|
|
// For forward_auth_domain, we don't have a direct app to domain relationship
|
|
|
|
// Check through all apps, and check how much of their cookie domain matches the host
|
|
|
|
// Return the application that has the longest match
|
|
|
|
var longestMatch *application.Application
|
|
|
|
longestMatchLength := 0
|
|
|
|
for _, app := range ps.apps {
|
2022-02-01 09:14:46 +00:00
|
|
|
if app.Mode() != api.PROXYMODE_FORWARD_DOMAIN {
|
|
|
|
continue
|
|
|
|
}
|
2022-01-18 22:19:43 +00:00
|
|
|
// Check if the cookie domain has a leading period for a wildcard
|
|
|
|
// This will decrease the weight of a wildcard domain, but a request to example.com
|
|
|
|
// with the cookie domain set to example.com will still be routed correctly.
|
|
|
|
cd := strings.TrimPrefix(*app.ProxyConfig().CookieDomain, ".")
|
|
|
|
if !strings.HasSuffix(host, cd) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if len(cd) < longestMatchLength {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
longestMatch = app
|
|
|
|
longestMatchLength = len(cd)
|
2022-02-01 09:14:46 +00:00
|
|
|
// Also for forward_auth_domain, we need to respond on the external domain
|
|
|
|
if app.ProxyConfig().ExternalHost == host {
|
|
|
|
ps.log.WithField("host", host).WithField("app", app.ProxyConfig().Name).Debug("Found app based on external_host")
|
|
|
|
return app, host
|
|
|
|
}
|
2022-01-18 22:19:43 +00:00
|
|
|
}
|
|
|
|
// Check if our longes match is 0, in which case we didn't match, so we
|
|
|
|
// manually return no app
|
|
|
|
if longestMatchLength == 0 {
|
|
|
|
return nil, host
|
|
|
|
}
|
2022-01-19 18:01:24 +00:00
|
|
|
ps.log.WithField("host", host).WithField("app", longestMatch.ProxyConfig().Name).Debug("Found app based on cookie domain")
|
2022-01-18 22:19:43 +00:00
|
|
|
return longestMatch, host
|
|
|
|
}
|
|
|
|
|
2021-09-08 18:04:56 +00:00
|
|
|
func (ps *ProxyServer) Handle(rw http.ResponseWriter, r *http.Request) {
|
2022-02-08 19:25:38 +00:00
|
|
|
if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io/static") {
|
2021-11-10 16:16:13 +00:00
|
|
|
ps.HandleStatic(rw, r)
|
|
|
|
return
|
|
|
|
}
|
2022-02-08 19:25:38 +00:00
|
|
|
if strings.HasPrefix(r.URL.Path, "/outpost.goauthentik.io/ping") {
|
2021-12-20 21:12:02 +00:00
|
|
|
ps.HandlePing(rw, r)
|
|
|
|
return
|
|
|
|
}
|
2022-01-18 22:19:43 +00:00
|
|
|
a, host := ps.lookupApp(r)
|
|
|
|
if a == nil {
|
2021-09-24 21:32:16 +00:00
|
|
|
// If we only have one handler, host name switching doesn't matter
|
|
|
|
if len(ps.apps) == 1 {
|
2021-11-19 09:50:56 +00:00
|
|
|
ps.log.WithField("host", host).Trace("passing to single app mux")
|
2021-09-24 21:32:16 +00:00
|
|
|
for k := range ps.apps {
|
|
|
|
ps.apps[k].ServeHTTP(rw, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-09-08 18:04:56 +00:00
|
|
|
ps.log.WithField("host", host).Warning("no app for hostname")
|
2021-11-13 21:44:52 +00:00
|
|
|
|
|
|
|
rw.Header().Set("Content-Type", "application/json")
|
|
|
|
rw.WriteHeader(http.StatusBadRequest)
|
|
|
|
j := json.NewEncoder(rw)
|
|
|
|
j.SetIndent("", "\t")
|
|
|
|
err := j.Encode(struct {
|
|
|
|
Message string
|
|
|
|
Host string
|
|
|
|
Detail string
|
|
|
|
}{
|
|
|
|
Message: "no app for hostname",
|
|
|
|
Host: host,
|
|
|
|
Detail: fmt.Sprintf("Check the outpost settings and make sure '%s' is included.", host),
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
ps.log.WithError(err).Warning("Failed to write error body")
|
|
|
|
}
|
2021-09-08 18:04:56 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
ps.log.WithField("host", host).Trace("passing to application mux")
|
|
|
|
a.ServeHTTP(rw, r)
|
|
|
|
}
|