providers/proxy: envoy v2 (#3029)
* add path prefix Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * use prefix correctly Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * only set redirect if session doesn't have a redirect yet Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L
@ -136,7 +136,6 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
|
|||||||
"type": "app",
|
"type": "app",
|
||||||
"method": r.Method,
|
"method": r.Method,
|
||||||
"host": web.GetHost(r),
|
"host": web.GetHost(r),
|
||||||
"scheme": r.URL.Scheme,
|
|
||||||
}).Observe(float64(after))
|
}).Observe(float64(after))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|||||||
@ -11,6 +11,10 @@ import (
|
|||||||
"goauthentik.io/internal/utils/web"
|
"goauthentik.io/internal/utils/web"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
envoyPrefix = "/outpost.goauthentik.io/auth/envoy"
|
||||||
|
)
|
||||||
|
|
||||||
func (a *Application) configureForward() error {
|
func (a *Application) configureForward() error {
|
||||||
a.mux.HandleFunc("/outpost.goauthentik.io/auth", func(rw http.ResponseWriter, r *http.Request) {
|
a.mux.HandleFunc("/outpost.goauthentik.io/auth", func(rw http.ResponseWriter, r *http.Request) {
|
||||||
if _, ok := r.URL.Query()["traefik"]; ok {
|
if _, ok := r.URL.Query()["traefik"]; ok {
|
||||||
@ -21,7 +25,7 @@ func (a *Application) configureForward() error {
|
|||||||
})
|
})
|
||||||
a.mux.HandleFunc("/outpost.goauthentik.io/auth/traefik", a.forwardHandleTraefik)
|
a.mux.HandleFunc("/outpost.goauthentik.io/auth/traefik", a.forwardHandleTraefik)
|
||||||
a.mux.HandleFunc("/outpost.goauthentik.io/auth/nginx", a.forwardHandleNginx)
|
a.mux.HandleFunc("/outpost.goauthentik.io/auth/nginx", a.forwardHandleNginx)
|
||||||
a.mux.PathPrefix("/").HandlerFunc(a.forwardHandleEnvoy)
|
a.mux.PathPrefix(envoyPrefix).HandlerFunc(a.forwardHandleEnvoy)
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -130,6 +134,7 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
|
|||||||
|
|
||||||
func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) {
|
func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) {
|
||||||
a.log.WithField("header", r.Header).Trace("tracing headers for debug")
|
a.log.WithField("header", r.Header).Trace("tracing headers for debug")
|
||||||
|
r.URL.Path = strings.TrimPrefix(r.URL.Path, envoyPrefix)
|
||||||
fwd := r.URL
|
fwd := r.URL
|
||||||
|
|
||||||
claims, err := a.getClaims(r)
|
claims, err := a.getClaims(r)
|
||||||
@ -163,18 +168,14 @@ func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request
|
|||||||
// to a (possibly) different domain, but we want to be redirected back
|
// to a (possibly) different domain, but we want to be redirected back
|
||||||
// to the application
|
// to the application
|
||||||
// X-Forwarded-Uri is only the path, so we need to build the entire URL
|
// X-Forwarded-Uri is only the path, so we need to build the entire URL
|
||||||
|
if _, redirectSet := s.Values[constants.SessionRedirect]; !redirectSet {
|
||||||
s.Values[constants.SessionRedirect] = fwd.String()
|
s.Values[constants.SessionRedirect] = fwd.String()
|
||||||
err = s.Save(r, rw)
|
err = s.Save(r, rw)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
a.log.WithError(err).Warning("failed to save session before redirect")
|
a.log.WithError(err).Warning("failed to save session before redirect")
|
||||||
}
|
}
|
||||||
// We mostly can't rely on X-Forwarded-Proto here since in most cases that will come from the
|
|
||||||
// local Envoy sidecar, so we re-used the same proto as the original URL had
|
|
||||||
scheme := r.Header.Get("X-Forwarded-Proto")
|
|
||||||
if scheme == "" {
|
|
||||||
scheme = "http:"
|
|
||||||
}
|
}
|
||||||
rdFinal := fmt.Sprintf("%s//%s%s", scheme, host, "/outpost.goauthentik.io/start")
|
rdFinal := fmt.Sprintf("//%s%s", host, "/outpost.goauthentik.io/start")
|
||||||
a.log.WithField("url", rdFinal).Debug("Redirecting to login")
|
a.log.WithField("url", rdFinal).Debug("Redirecting to login")
|
||||||
http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect)
|
http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -29,7 +29,7 @@ func TestForwardHandleEnvoy_Single_Headers(t *testing.T) {
|
|||||||
|
|
||||||
assert.Equal(t, rr.Code, http.StatusTemporaryRedirect)
|
assert.Equal(t, rr.Code, http.StatusTemporaryRedirect)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, loc.String(), "http://test.goauthentik.io/outpost.goauthentik.io/start")
|
assert.Equal(t, loc.String(), "//test.goauthentik.io/outpost.goauthentik.io/start")
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SessionName)
|
s, _ := a.sessions.Get(req, constants.SessionName)
|
||||||
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
||||||
@ -91,7 +91,7 @@ func TestForwardHandleEnvoy_Domain_Header(t *testing.T) {
|
|||||||
|
|
||||||
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
|
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
|
||||||
loc, _ := rr.Result().Location()
|
loc, _ := rr.Result().Location()
|
||||||
assert.Equal(t, "http://auth.test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
|
assert.Equal(t, "//auth.test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
|
||||||
|
|
||||||
s, _ := a.sessions.Get(req, constants.SessionName)
|
s, _ := a.sessions.Get(req, constants.SessionName)
|
||||||
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
|
||||||
|
|||||||
@ -15,7 +15,7 @@ var (
|
|||||||
Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
||||||
Name: "authentik_outpost_proxy_requests",
|
Name: "authentik_outpost_proxy_requests",
|
||||||
Help: "The total number of configured providers",
|
Help: "The total number of configured providers",
|
||||||
}, []string{"outpost_name", "method", "scheme", "host", "type"})
|
}, []string{"outpost_name", "method", "host", "type"})
|
||||||
UpstreamTiming = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
UpstreamTiming = promauto.NewHistogramVec(prometheus.HistogramOpts{
|
||||||
Name: "authentik_outpost_proxy_upstream_time",
|
Name: "authentik_outpost_proxy_upstream_time",
|
||||||
Help: "A summary of the duration we wait for the upstream reply",
|
Help: "A summary of the duration we wait for the upstream reply",
|
||||||
|
|||||||
@ -14,6 +14,7 @@ spec:
|
|||||||
# Replace with <service-name>.<namespace>.svc.cluster.local
|
# Replace with <service-name>.<namespace>.svc.cluster.local
|
||||||
service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"
|
service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"
|
||||||
port: "9000"
|
port: "9000"
|
||||||
|
pathPrefix: "/outpost.goauthentik.io/auth/envoy"
|
||||||
headersToDownstreamOnAllow:
|
headersToDownstreamOnAllow:
|
||||||
- cookie
|
- cookie
|
||||||
headersToUpstreamOnAllow:
|
headersToUpstreamOnAllow:
|
||||||
|
|||||||
Reference in New Issue
Block a user