outposts/proxy: add initial redirect-loop prevention

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-20 22:21:53 +01:00
parent cac5c7b3ea
commit eca2ef20d0
2 changed files with 15 additions and 0 deletions

View File

@ -54,10 +54,24 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
r.Header.Get("X-Forwarded-Host"), r.Header.Get("X-Forwarded-Host"),
r.Header.Get("X-Forwarded-Uri"), r.Header.Get("X-Forwarded-Uri"),
) )
if r.Header.Get("X-Forwarded-Uri") == "/akprox/start" {
a.log.Info("Detected potential redirect loop")
if val, ok := s.Values[constants.SessionLoopDetection]; !ok {
s.Values[constants.SessionLoopDetection] = 1
} else {
s.Values[constants.SessionLoopDetection] = val.(int) + 1
if val.(int) > 10 {
a.log.Error("Stopped redirect loop")
rw.WriteHeader(http.StatusBadRequest)
return
}
}
}
err = s.Save(r, rw) err = s.Save(r, rw)
if err != nil { if err != nil {
a.log.WithError(err).Warning("failed to save session before redirect") a.log.WithError(err).Warning("failed to save session before redirect")
} }
proto := r.Header.Get("X-Forwarded-Proto") proto := r.Header.Get("X-Forwarded-Proto")
if proto != "" { if proto != "" {
proto = proto + ":" proto = proto + ":"

View File

@ -6,3 +6,4 @@ const SessionOAuthState = "oauth_state"
const SessionClaims = "claims" const SessionClaims = "claims"
const SessionRedirect = "redirect" const SessionRedirect = "redirect"
const SessionLoopDetection = "loop_detection"