Open BulatSaif opened 3 months ago
https://github.com/gravitational/teleport/pull/34705 would probably allow this, but hasn't moved forward for a while.
34705 would probably allow this, but hasn't moved forward for a while.
PR #34705 is certainly useful, and I would appreciate having options to modify the body in future updates. However, it does not address my current issue with headers. To address this, I've created a small Proof of Concept (PoC) GitHub PR #43300. The idea behind this PoC is to replace all occurrences of hosts in the "Location" header.
I updated my GitHub PR #43300 and added an alternative rewrite redirectRegex
. It's designed to be more powerful and readable. Below are two configurations that achieve the same replacement:
Configuration 1:
apps:
- name: "MyName"
public_addr: "mydomain"
rewrite:
# Replace domain in Location header
redirect:
- "localhost"
Configuration 2:
apps:
- name: "MyName"
rewrite:
# Replace Location header using regex
redirectRegex:
regex: ^http[s]?://localhost/(.*)
replacement: http://mydomain/${1}
Here's a configuration that covers my use case, replacing all occurrences of localhost
in the header:
apps:
- name: "MyName"
rewrite:
# Replace Location header using regex
redirectRegex:
regex: localhost
replacement: mydomain
What would you like Teleport to do?
The current implementation is good at catching simple redirects, but it fails to handle more complex redirection that usually occurs if application has it own login page.
For simplicity I will use grafana app:
Current use case: Request:
https://grafana.teleport.example.com/a
Response(app) :
https://grafana.internal.dev/new-a
Response(teleport):https://grafana.teleport.example.com/new-a
Works as expected.New use case: Request:
https://grafana.teleport.example.com/a
Response(app):
https://grafana.internal.dev/login?redirect=https%3A%2F%2Fgrafana.internal.dev%2Fnew-a
Response(teleport):https://grafana.teleport.example.com/login?redirect=https%3A%2F%2Fgrafana.internal.dev%2Fnew-a
As you can see,
grafana.internal.dev
is set twice, both as the host and as part of the path. Teleport will replace only the host and leave the domain in the path, which will lead to an incorrect redirect later.What problem does this solve? This will allow using Teleport with apps that are not aware of Teleport proxy.