Closed branden closed 3 years ago
This PR creates a security problem, because Traefik will copy an incoming request's X-Replaced-Path
header to the forwarded request. This means a user could forge such a header in order to trick Traefik Forward Auth into allowing a request that it should not. I'll leave this PR as a draft until this is fixed in Traefik.
I'm going to close this, since the original motivation is now resolved. See https://jira.d2iq.com/browse/D2IQ-71985
Adapted from https://github.com/thomseddon/traefik-forward-auth/pull/49.
This causes Traefik Forward Auth to use the value of the
X-Replaced-Path
header as the request path when evaluating whether a request is allowed. Traefik sets this header when it alters a request path usingReplacePathRegex
, see https://doc.traefik.io/traefik/v2.0/middlewares/replacepathregex/. Without this change, Traefik Forward Auth will use the rewritten request path. If rules are defined with the expectation that they apply to requests before they are rewritten, this can lead to unexpected authorization errors.https://jira.d2iq.com/browse/D2IQ-71985