outposts/proxy: clean up header setting (don't copy all headers)

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

internal/outpost/proxyv2/application/mode_common.go

@@ -7,22 +7,22 @@ import (
 	"strings"
 )
 
-func (a *Application) addHeaders(r *http.Request, c *Claims) {
+func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	// https://goauthentik.io/docs/providers/proxy/proxy
 
 	// Legacy headers, remove after 2022.1
-	r.Header.Set("X-Auth-Username", c.PreferredUsername)
+	headers.Set("X-Auth-Username", c.PreferredUsername)
-	r.Header.Set("X-Auth-Groups", strings.Join(c.Groups, "|"))
+	headers.Set("X-Auth-Groups", strings.Join(c.Groups, "|"))
-	r.Header.Set("X-Forwarded-Email", c.Email)
+	headers.Set("X-Forwarded-Email", c.Email)
-	r.Header.Set("X-Forwarded-Preferred-Username", c.PreferredUsername)
+	headers.Set("X-Forwarded-Preferred-Username", c.PreferredUsername)
-	r.Header.Set("X-Forwarded-User", c.Sub)
+	headers.Set("X-Forwarded-User", c.Sub)
 
 	// New headers, unique prefix
-	r.Header.Set("X-authentik-username", c.PreferredUsername)
+	headers.Set("X-authentik-username", c.PreferredUsername)
-	r.Header.Set("X-authentik-groups", strings.Join(c.Groups, "|"))
+	headers.Set("X-authentik-groups", strings.Join(c.Groups, "|"))
-	r.Header.Set("X-authentik-email", c.Email)
+	headers.Set("X-authentik-email", c.Email)
-	r.Header.Set("X-authentik-name", c.Name)
+	headers.Set("X-authentik-name", c.Name)
-	r.Header.Set("X-authentik-uid", c.Sub)
+	headers.Set("X-authentik-uid", c.Sub)
 
 	userAttributes := c.Proxy.UserAttributes
 	// Attempt to set basic auth based on user's attributes
@@ -39,7 +39,7 @@ func (a *Application) addHeaders(r *http.Request, c *Claims) {
 		}
 		authVal := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
 		a.log.WithField("username", username).Trace("setting http basic auth")
-		r.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
+		headers.Set("Authorization", fmt.Sprintf("Basic %s", authVal))
 	}
 	// Check if user has additional headers set that we should sent
 	if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]interface{}); ok {
@@ -48,15 +48,7 @@ func (a *Application) addHeaders(r *http.Request, c *Claims) {
 			return
 		}
 		for key, value := range additionalHeaders {
-			r.Header.Set(key, toString(value))
+			headers.Set(key, toString(value))
-		}
-	}
-}
-
-func copyHeadersToResponse(rw http.ResponseWriter, r *http.Request) {
-	for headerKey, headers := range r.Header {
-		for _, value := range headers {
-			rw.Header().Set(headerKey, value)
 		}
 	}
 }

internal/outpost/proxyv2/application/mode_forward.go

@@ -26,8 +26,8 @@ func (a *Application) configureForward() error {
 func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Request) {
 	claims, err := a.getClaims(r)
 	if claims != nil && err == nil {
-		a.addHeaders(r, claims)
+		a.addHeaders(rw.Header(), claims)
-		copyHeadersToResponse(rw, r)
+		a.log.WithField("headers", rw.Header()).Trace("headers written to forward_auth")
 		return
 	} else if claims == nil && a.IsAllowlisted(r) {
 		a.log.Trace("path can be accessed without authentication")
@@ -69,9 +69,9 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
 func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request) {
 	claims, err := a.getClaims(r)
 	if claims != nil && err == nil {
-		a.addHeaders(r, claims)
+		a.addHeaders(rw.Header(), claims)
-		copyHeadersToResponse(rw, r)
 		rw.WriteHeader(200)
+		a.log.WithField("headers", rw.Header()).Trace("headers written to forward_auth")
 		return
 	} else if claims == nil && a.IsAllowlisted(r) {
 		a.log.Trace("path can be accessed without authentication")

internal/outpost/proxyv2/application/mode_proxy.go

@@ -39,7 +39,7 @@ func (a *Application) configureProxy() error {
 			a.redirectToStart(rw, r)
 			return
 		} else {
-			a.addHeaders(r, claims)
+			a.addHeaders(r.Header, claims)
 		}
 		before := time.Now()
 		rp.ServeHTTP(rw, r)