From 1dce408c7238999dee682786f91409e60ff6d631 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Mon, 24 Jan 2022 09:30:33 +0100
Subject: [PATCH] internal/proxyv2: only allow access to /akprox in nginx mode
 when forward url could be extracted

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/outpost/proxyv2/application/mode_forward.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/internal/outpost/proxyv2/application/mode_forward.go b/internal/outpost/proxyv2/application/mode_forward.go
index 7434c0ec6..4c7887b89 100644
--- a/internal/outpost/proxyv2/application/mode_forward.go
+++ b/internal/outpost/proxyv2/application/mode_forward.go
@@ -80,9 +80,12 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
 		a.log.Trace("path can be accessed without authentication")
 		return
 	}
-	if strings.HasPrefix(a.getTraefikForwardUrl(r).Path, "/akprox") {
-		a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access")
-		return
+	fwu := a.getTraefikForwardUrl(r)
+	if fwu.String() != r.URL.String() {
+		if strings.HasPrefix(fwu.Path, "/akprox") {
+			a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access")
+			return
+		}
 	}
 	http.Error(rw, "unauthorized request", http.StatusUnauthorized)
 }