outposts/proxy: add initial redirect-loop prevention
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
cac5c7b3ea
commit
eca2ef20d0
|
@ -54,10 +54,24 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
|
||||||
r.Header.Get("X-Forwarded-Host"),
|
r.Header.Get("X-Forwarded-Host"),
|
||||||
r.Header.Get("X-Forwarded-Uri"),
|
r.Header.Get("X-Forwarded-Uri"),
|
||||||
)
|
)
|
||||||
|
if r.Header.Get("X-Forwarded-Uri") == "/akprox/start" {
|
||||||
|
a.log.Info("Detected potential redirect loop")
|
||||||
|
if val, ok := s.Values[constants.SessionLoopDetection]; !ok {
|
||||||
|
s.Values[constants.SessionLoopDetection] = 1
|
||||||
|
} else {
|
||||||
|
s.Values[constants.SessionLoopDetection] = val.(int) + 1
|
||||||
|
if val.(int) > 10 {
|
||||||
|
a.log.Error("Stopped redirect loop")
|
||||||
|
rw.WriteHeader(http.StatusBadRequest)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
err = s.Save(r, rw)
|
err = s.Save(r, rw)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
a.log.WithError(err).Warning("failed to save session before redirect")
|
a.log.WithError(err).Warning("failed to save session before redirect")
|
||||||
}
|
}
|
||||||
|
|
||||||
proto := r.Header.Get("X-Forwarded-Proto")
|
proto := r.Header.Get("X-Forwarded-Proto")
|
||||||
if proto != "" {
|
if proto != "" {
|
||||||
proto = proto + ":"
|
proto = proto + ":"
|
||||||
|
|
|
@ -6,3 +6,4 @@ const SessionOAuthState = "oauth_state"
|
||||||
const SessionClaims = "claims"
|
const SessionClaims = "claims"
|
||||||
|
|
||||||
const SessionRedirect = "redirect"
|
const SessionRedirect = "redirect"
|
||||||
|
const SessionLoopDetection = "loop_detection"
|
||||||
|
|
Reference in New Issue