trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

outposts/proxyv2: allow access to /akprox urls in forward auth mode to make routing in nginx/traefik easier 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-01-21 13:43:16 +01:00
parent 9fc5ff4b77
commit 3bfb8b2cb2
3 changed files with 9 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
internal/outpost/proxyv2/application/mode_forward.go
View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"net/url" "net/url"
"strings"
"goauthentik.io/api" "goauthentik.io/api"
"goauthentik.io/internal/outpost/proxyv2/constants" "goauthentik.io/internal/outpost/proxyv2/constants"
@ -34,6 +35,10 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
a.log.Trace("path can be accessed without authentication") a.log.Trace("path can be accessed without authentication")
return return
} }
if strings.HasPrefix(r.Header.Get("X-Forwarded-Uri"), "/akprox") {
a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access")
return
}
host := "" host := ""
s, _ := a.sessions.Get(r, constants.SeesionName) s, _ := a.sessions.Get(r, constants.SeesionName)
// Optional suffix, which is appended to the URL // Optional suffix, which is appended to the URL
@ -49,14 +54,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
// see https://doc.traefik.io/traefik/middlewares/forwardauth/ // see https://doc.traefik.io/traefik/middlewares/forwardauth/
// X-Forwarded-Uri is only the path, so we need to build the entire URL // X-Forwarded-Uri is only the path, so we need to build the entire URL
s.Values[constants.SessionRedirect] = a.getTraefikForwardUrl(r).String() s.Values[constants.SessionRedirect] = a.getTraefikForwardUrl(r).String()
if r.Header.Get("X-Forwarded-Uri") == "/akprox/start" {
a.log.Info("Detected potential redirect loop")
if val, ok := s.Values[constants.SessionLoopDetection]; !ok {
s.Values[constants.SessionLoopDetection] = 1
} else {
s.Values[constants.SessionLoopDetection] = val.(int) + 1
}
}
err = s.Save(r, rw) err = s.Save(r, rw)
if err != nil { if err != nil {
a.log.WithError(err).Warning("failed to save session before redirect") a.log.WithError(err).Warning("failed to save session before redirect")
@ -83,5 +80,9 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
a.log.Trace("path can be accessed without authentication") a.log.Trace("path can be accessed without authentication")
return return
} }
if strings.HasPrefix(a.getTraefikForwardUrl(r).Path, "/akprox") {
a.log.WithField("url", r.URL.String()).Trace("path begins with /akprox, allowing access")
return
}
http.Error(rw, "unauthorized request", http.StatusUnauthorized) http.Error(rw, "unauthorized request", http.StatusUnauthorized)
} }

7
internal/outpost/proxyv2/application/oauth.go
View File

@ -25,13 +25,6 @@ func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
a.log.WithError(err).Warning("failed to save session") a.log.WithError(err).Warning("failed to save session")
} }
if loop, ok := s.Values[constants.SessionLoopDetection]; ok {
if loop.(int) > 10 {
rw.WriteHeader(http.StatusBadRequest)
a.ErrorPage(rw, r, "Detected redirect loop, make sure /akprox is accessible without authentication.")
return
}
}
http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(newState), http.StatusFound) http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(newState), http.StatusFound)
} }

1
internal/outpost/proxyv2/constants/constants.go
View File

@ -6,4 +6,3 @@ const SessionOAuthState = "oauth_state"
const SessionClaims = "claims" const SessionClaims = "claims"
const SessionRedirect = "redirect" const SessionRedirect = "redirect"
const SessionLoopDetection = "loop_detection"