2021-05-02 22:49:16 +00:00
|
|
|
package web
|
|
|
|
|
|
|
|
import (
|
2022-02-09 11:33:37 +00:00
|
|
|
"encoding/json"
|
2023-09-02 15:58:37 +00:00
|
|
|
"errors"
|
2021-07-29 09:30:30 +00:00
|
|
|
"fmt"
|
2021-05-04 16:14:25 +00:00
|
|
|
"net/http"
|
2021-05-02 22:49:16 +00:00
|
|
|
"net/http/httputil"
|
2021-09-09 13:52:24 +00:00
|
|
|
"time"
|
2021-07-29 09:30:30 +00:00
|
|
|
|
2021-09-09 13:52:24 +00:00
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
2022-06-16 09:32:21 +00:00
|
|
|
"goauthentik.io/internal/utils/sentry"
|
2021-05-02 22:49:16 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func (ws *WebServer) configureProxy() {
|
|
|
|
// Reverse proxy to the application server
|
2021-05-20 22:03:02 +00:00
|
|
|
director := func(req *http.Request) {
|
2023-09-02 15:58:37 +00:00
|
|
|
req.URL.Scheme = ws.ul.Scheme
|
|
|
|
req.URL.Host = ws.ul.Host
|
2021-05-20 22:03:02 +00:00
|
|
|
if _, ok := req.Header["User-Agent"]; !ok {
|
|
|
|
// explicitly disable User-Agent so it's not set to default value
|
|
|
|
req.Header.Set("User-Agent", "")
|
|
|
|
}
|
|
|
|
if req.TLS != nil {
|
|
|
|
req.Header.Set("X-Forwarded-Proto", "https")
|
|
|
|
}
|
2022-02-09 11:48:17 +00:00
|
|
|
ws.log.WithField("url", req.URL.String()).WithField("headers", req.Header).Trace("tracing request to backend")
|
2021-05-20 22:03:02 +00:00
|
|
|
}
|
2023-09-02 15:58:37 +00:00
|
|
|
rp := &httputil.ReverseProxy{
|
|
|
|
Director: director,
|
|
|
|
Transport: ws.upstreamHttpClient().Transport,
|
|
|
|
}
|
2021-05-04 16:14:25 +00:00
|
|
|
rp.ErrorHandler = ws.proxyErrorHandler
|
2021-05-04 16:45:28 +00:00
|
|
|
rp.ModifyResponse = ws.proxyModifyResponse
|
2022-02-08 19:25:38 +00:00
|
|
|
ws.m.PathPrefix("/outpost.goauthentik.io").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
2021-07-29 09:30:30 +00:00
|
|
|
if ws.ProxyServer != nil {
|
2021-09-09 13:52:24 +00:00
|
|
|
before := time.Now()
|
2021-09-08 18:04:56 +00:00
|
|
|
ws.ProxyServer.Handle(rw, r)
|
2023-07-27 16:51:08 +00:00
|
|
|
elapsed := time.Since(before)
|
2021-09-09 13:52:24 +00:00
|
|
|
Requests.With(prometheus.Labels{
|
|
|
|
"dest": "embedded_outpost",
|
2023-07-27 16:51:08 +00:00
|
|
|
}).Observe(float64(elapsed) / float64(time.Second))
|
|
|
|
RequestsLegacy.With(prometheus.Labels{
|
|
|
|
"dest": "embedded_outpost",
|
|
|
|
}).Observe(float64(elapsed))
|
2021-07-29 09:30:30 +00:00
|
|
|
return
|
|
|
|
}
|
2023-09-02 15:58:37 +00:00
|
|
|
ws.proxyErrorHandler(rw, r, errors.New("proxy not running"))
|
2021-07-29 09:30:30 +00:00
|
|
|
})
|
2022-06-16 15:05:27 +00:00
|
|
|
ws.m.Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
|
2021-10-12 16:44:08 +00:00
|
|
|
rw.WriteHeader(204)
|
2022-06-16 15:05:27 +00:00
|
|
|
}))
|
|
|
|
ws.m.PathPrefix("/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
|
2023-09-02 15:58:37 +00:00
|
|
|
if !ws.g.IsRunning() {
|
|
|
|
ws.proxyErrorHandler(rw, r, errors.New("authentik starting"))
|
2021-10-05 20:19:33 +00:00
|
|
|
return
|
|
|
|
}
|
2021-09-09 13:52:24 +00:00
|
|
|
before := time.Now()
|
2021-07-29 09:30:30 +00:00
|
|
|
if ws.ProxyServer != nil {
|
2022-08-18 18:43:01 +00:00
|
|
|
if ws.ProxyServer.HandleHost(rw, r) {
|
2023-07-27 16:51:08 +00:00
|
|
|
elapsed := time.Since(before)
|
2021-09-09 13:52:24 +00:00
|
|
|
Requests.With(prometheus.Labels{
|
|
|
|
"dest": "embedded_outpost",
|
2023-07-27 16:51:08 +00:00
|
|
|
}).Observe(float64(elapsed) / float64(time.Second))
|
|
|
|
RequestsLegacy.With(prometheus.Labels{
|
|
|
|
"dest": "embedded_outpost",
|
|
|
|
}).Observe(float64(elapsed))
|
2021-09-08 18:04:56 +00:00
|
|
|
return
|
2021-07-29 09:30:30 +00:00
|
|
|
}
|
|
|
|
}
|
2023-07-27 16:51:08 +00:00
|
|
|
elapsed := time.Since(before)
|
2021-09-09 13:52:24 +00:00
|
|
|
Requests.With(prometheus.Labels{
|
2023-02-19 16:08:40 +00:00
|
|
|
"dest": "core",
|
2023-07-27 16:51:08 +00:00
|
|
|
}).Observe(float64(elapsed) / float64(time.Second))
|
|
|
|
RequestsLegacy.With(prometheus.Labels{
|
|
|
|
"dest": "core",
|
|
|
|
}).Observe(float64(elapsed))
|
2022-10-17 16:52:12 +00:00
|
|
|
r.Body = http.MaxBytesReader(rw, r.Body, 32*1024*1024)
|
2021-07-29 09:30:30 +00:00
|
|
|
rp.ServeHTTP(rw, r)
|
2022-06-16 15:05:27 +00:00
|
|
|
}))
|
2021-05-02 22:49:16 +00:00
|
|
|
}
|
2021-05-04 16:14:25 +00:00
|
|
|
|
|
|
|
func (ws *WebServer) proxyErrorHandler(rw http.ResponseWriter, req *http.Request, err error) {
|
2022-02-09 11:48:17 +00:00
|
|
|
ws.log.WithError(err).Warning("failed to proxy to backend")
|
2021-05-04 16:14:25 +00:00
|
|
|
rw.WriteHeader(http.StatusBadGateway)
|
2022-02-09 11:33:37 +00:00
|
|
|
em := fmt.Sprintf("failed to connect to authentik backend: %v", err)
|
|
|
|
// return json if the client asks for json
|
|
|
|
if req.Header.Get("Accept") == "application/json" {
|
2023-09-02 15:58:37 +00:00
|
|
|
err = json.NewEncoder(rw).Encode(map[string]string{
|
2022-02-09 11:33:37 +00:00
|
|
|
"error": em,
|
|
|
|
})
|
2023-09-02 15:58:37 +00:00
|
|
|
} else {
|
|
|
|
_, err = rw.Write([]byte(em))
|
2022-02-09 11:33:37 +00:00
|
|
|
}
|
2021-10-05 20:19:33 +00:00
|
|
|
if err != nil {
|
|
|
|
ws.log.WithError(err).Warning("failed to write error message")
|
|
|
|
}
|
2021-05-04 16:14:25 +00:00
|
|
|
}
|
2021-05-04 16:45:28 +00:00
|
|
|
|
|
|
|
func (ws *WebServer) proxyModifyResponse(r *http.Response) error {
|
2022-01-24 21:05:11 +00:00
|
|
|
r.Header.Set("X-Powered-By", "authentik")
|
2022-02-09 11:38:47 +00:00
|
|
|
r.Header.Del("Server")
|
2021-05-04 16:45:28 +00:00
|
|
|
return nil
|
|
|
|
}
|