From 3bfb8b2cb20e45e7f04d1e9b35355bd3cd8e0125 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 21 Jan 2022 13:43:16 +0100 Subject: [PATCH] outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier Signed-off-by: Jens Langhammer --- .../outpost/proxyv2/application/mode_forward.go | 17 +++++++++-------- internal/outpost/proxyv2/application/oauth.go | 7 ------- internal/outpost/proxyv2/constants/constants.go | 1 - 3 files changed, 9 insertions(+), 16 deletions(-) diff --git a/internal/outpost/proxyv2/application/mode_forward.go b/internal/outpost/proxyv2/application/mode_forward.go index 08b831d7d..7434c0ec6 100644 --- a/internal/outpost/proxyv2/application/mode_forward.go +++ b/internal/outpost/proxyv2/application/mode_forward.go @@ -4,6 +4,7 @@ import ( "fmt" "net/http" "net/url" + "strings" "goauthentik.io/api" "goauthentik.io/internal/outpost/proxyv2/constants" @@ -34,6 +35,10 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque a.log.Trace("path can be accessed without authentication") return } + if strings.HasPrefix(r.Header.Get("X-Forwarded-Uri"), "/akprox") { + a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access") + return + } host := "" s, _ := a.sessions.Get(r, constants.SeesionName) // Optional suffix, which is appended to the URL @@ -49,14 +54,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque // see https://doc.traefik.io/traefik/middlewares/forwardauth/ // X-Forwarded-Uri is only the path, so we need to build the entire URL s.Values[constants.SessionRedirect] = a.getTraefikForwardUrl(r).String() - if r.Header.Get("X-Forwarded-Uri") == "/akprox/start" { - a.log.Info("Detected potential redirect loop") - if val, ok := s.Values[constants.SessionLoopDetection]; !ok { - s.Values[constants.SessionLoopDetection] = 1 - } else { - s.Values[constants.SessionLoopDetection] = val.(int) + 1 - } - } err = s.Save(r, rw) if err != nil { a.log.WithError(err).Warning("failed to save session before redirect") @@ -83,5 +80,9 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request a.log.Trace("path can be accessed without authentication") return } + if strings.HasPrefix(a.getTraefikForwardUrl(r).Path, "/akprox") { + a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access") + return + } http.Error(rw, "unauthorized request", http.StatusUnauthorized) } diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go index 6029a39ee..494c2f382 100644 --- a/internal/outpost/proxyv2/application/oauth.go +++ b/internal/outpost/proxyv2/application/oauth.go @@ -25,13 +25,6 @@ func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) { if err != nil { a.log.WithError(err).Warning("failed to save session") } - if loop, ok := s.Values[constants.SessionLoopDetection]; ok { - if loop.(int) > 10 { - rw.WriteHeader(http.StatusBadRequest) - a.ErrorPage(rw, r, "Detected redirect loop, make sure /akprox is accessible without authentication.") - return - } - } http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(newState), http.StatusFound) } diff --git a/internal/outpost/proxyv2/constants/constants.go b/internal/outpost/proxyv2/constants/constants.go index bb7d790da..3160f42bd 100644 --- a/internal/outpost/proxyv2/constants/constants.go +++ b/internal/outpost/proxyv2/constants/constants.go @@ -6,4 +6,3 @@ const SessionOAuthState = "oauth_state" const SessionClaims = "claims" const SessionRedirect = "redirect" -const SessionLoopDetection = "loop_detection"