neild
commented
2 years ago We would need to define how ModifyRequest and Director compose: What happens if both are set? My inclination is to call this an error.
@bradfitz proposed an interesting alternative to ModifyRequest. If we pass a type to the rewrite function, we can add additional methods to that type to make it easier for users to customize the proxy behavior. For example:
proxy := &ReverseProxy{
Rewrite: func(r *Rewriter) {
r.SetXForwarded() // sets X-Forwarded-{For,Host,Proto}
r.AppendXForwarded() // appends to X-Forwarded-For (current behavior)
r.SetForwarded() // sets RFC 7239 Forwarded header
r.SetURL(url) // NewSingleHostReverseProxy-style routing
},
}
gopherbot
zepatrik
An HTTP request may contain header fields which are intended for the immediate recipient ("hop-by-hop"), and ones intended for all recipients on the chain of a forwarded request ("end-to-end"). For example, the "Keep-Alive" header is a hop-by-hop header, because it applies to a single TCP connection. The "Cache-Control" header, in contrast, is an end-to-end header which should be forwarded by an HTTP proxy.
RFC 2616, section 13.5.1 specified a list of hop-by-hop headers which HTTP proxies should not forward.
RFC 7230, section 6.1 replaces the hardcoded list of hop-by-hop headers with the ability for the originator of a request to specify the hop-by-hop headers in the "Connection" header.
The
httputil.ReverseProxyproxy both understands the obsolete hardcoded list of hop-by-hop headers from RFC 2616 and theConnectionheader from RFC 7230.ReverseProxywill remove all hop-by-hop headers before forwarding a request.When ReverseProxy forwards a request, it follows the following steps in order:
outreq.outreqto theDirectorfunction, which may modify it.outreq.outreqto the backend.This can cause headers added by the
Directorfunction to be removed before the request is forwarded to the backend.For example, if an inbound request contains a
Connection: forwardedheader, then anyForwardedheader added by theDirectorwill not be sent to the backend. This is probably surprising; under some circumstances, it may be a security vulnerability.The user of
httputil.ReverseProxycan prevent a header from being stripped in this fashion by removing any headers that should not be dropped from theConnectionheader. This is cumbersome, and relies on the user knowing that they must do this.Some proposed solutions:
Remove hop-by-hop headers before calling the
Directorfunction: This breaks any existingDirectorfunction that examines hop-by-hop headers likeProxy-Authorization.Detect what headers were modified by the
Directorfunction and avoid removing them: This does not avoid the problem, because the attacker could send the exact header they want to remove. For example, an attacker can sendand after
Directorruns we cannot tell whether it intends theX-Forwarded-Protoheader to stay.Only remove RFC 2616 hop-by-hop headers and do not remove headers listed in the
Connectionheader: This is a violation of RFC 7230, which states that proxies MUST remove headers listed in theConnectionheader.I do not believe it is possible to fix this problem within the context of the existing
ReverseProxyAPI. The problem is that theDirectorfunction makes no distinction between the inbound request and the outbound one: We cannot remove hop-by-hop headers before passing a request toDirector, sinceDirectormay need to examine those headers, but removing those headers afterDirectorruns can strip headers that should be preserved for the next hop.I propose that we add a new field to
ReverseProxy, supersedingDirector, which takes both the inbound and outbound request.We do not usually backport new APIs. Since in this case the existing API is inherently insecure, I propose that we backport ModifyRequest and mark Director as deprecated.