mirror of
https://github.com/caddyserver/caddy.git
synced 2025-10-31 02:27:19 -04:00
e2234497b7
* Overwrite proxy headers based on directive Headers of the request sent by the proxy upstream can now be modified in the following way: Prefix header with `+`: Header will be added if it doesn't exist otherwise, the values will be merge Prefix header with `-': Header will be removed No prefix: Header will be replaced with given value * Add missing formating directive reported by go vet * Overwrite up/down stream proxy headers Add Up/DownStreamHeaders to UpstreamHost Split `proxy_header` option in `proxy` directive into `header_upstream` and `header_downstream`. By splitting into two, it makes it clear in what direction the given headers must be applied. `proxy_header` can still be used (to maintain backward compatability) but its assumed to be `header_upstream` Response headers received by the reverse proxy from the upstream host are updated according the `header_downstream` rules. The update occurs through a func given to the reverse proxy, which is applied once a response is received. Headers (for upstream and downstream) can now be modified in the following way: Prefix header with `+`: Header will be added if it doesn't exist otherwise, the values will be merge Prefix header with `-': Header will be removed No prefix: Header will be replaced with given value Updated branch with changes from master * minor refactor to make intent clearer * Make Up/Down stream headers naming consistent * Fix error descriptions to be more clear * Fix lint issue
270 lines
7.1 KiB
Go
270 lines
7.1 KiB
Go
// This file is adapted from code in the net/http/httputil
|
|
// package of the Go standard library, which is by the
|
|
// Go Authors, and bears this copyright and license info:
|
|
//
|
|
// Copyright 2011 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
//
|
|
// This file has been modified from the standard lib to
|
|
// meet the needs of the application.
|
|
|
|
package proxy
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// onExitFlushLoop is a callback set by tests to detect the state of the
|
|
// flushLoop() goroutine.
|
|
var onExitFlushLoop func()
|
|
|
|
// ReverseProxy is an HTTP Handler that takes an incoming request and
|
|
// sends it to another server, proxying the response back to the
|
|
// client.
|
|
type ReverseProxy struct {
|
|
// Director must be a function which modifies
|
|
// the request into a new request to be sent
|
|
// using Transport. Its response is then copied
|
|
// back to the original client unmodified.
|
|
Director func(*http.Request)
|
|
|
|
// The transport used to perform proxy requests.
|
|
// If nil, http.DefaultTransport is used.
|
|
Transport http.RoundTripper
|
|
|
|
// FlushInterval specifies the flush interval
|
|
// to flush to the client while copying the
|
|
// response body.
|
|
// If zero, no periodic flushing is done.
|
|
FlushInterval time.Duration
|
|
}
|
|
|
|
func singleJoiningSlash(a, b string) string {
|
|
aslash := strings.HasSuffix(a, "/")
|
|
bslash := strings.HasPrefix(b, "/")
|
|
switch {
|
|
case aslash && bslash:
|
|
return a + b[1:]
|
|
case !aslash && !bslash:
|
|
return a + "/" + b
|
|
}
|
|
return a + b
|
|
}
|
|
|
|
// Though the relevant directive prefix is just "unix:", url.Parse
|
|
// will - assuming the regular URL scheme - add additional slashes
|
|
// as if "unix" was a request protocol.
|
|
// What we need is just the path, so if "unix:/var/run/www.socket"
|
|
// was the proxy directive, the parsed hostName would be
|
|
// "unix:///var/run/www.socket", hence the ambiguous trimming.
|
|
func socketDial(hostName string) func(network, addr string) (conn net.Conn, err error) {
|
|
return func(network, addr string) (conn net.Conn, err error) {
|
|
return net.Dial("unix", hostName[len("unix://"):])
|
|
}
|
|
}
|
|
|
|
// NewSingleHostReverseProxy returns a new ReverseProxy that rewrites
|
|
// URLs to the scheme, host, and base path provided in target. If the
|
|
// target's path is "/base" and the incoming request was for "/dir",
|
|
// the target request will be for /base/dir.
|
|
// Without logic: target's path is "/", incoming is "/api/messages",
|
|
// without is "/api", then the target request will be for /messages.
|
|
func NewSingleHostReverseProxy(target *url.URL, without string) *ReverseProxy {
|
|
targetQuery := target.RawQuery
|
|
director := func(req *http.Request) {
|
|
if target.Scheme == "unix" {
|
|
// to make Dial work with unix URL,
|
|
// scheme and host have to be faked
|
|
req.URL.Scheme = "http"
|
|
req.URL.Host = "socket"
|
|
} else {
|
|
req.URL.Scheme = target.Scheme
|
|
req.URL.Host = target.Host
|
|
}
|
|
req.URL.Path = singleJoiningSlash(target.Path, req.URL.Path)
|
|
if targetQuery == "" || req.URL.RawQuery == "" {
|
|
req.URL.RawQuery = targetQuery + req.URL.RawQuery
|
|
} else {
|
|
req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
|
|
}
|
|
// Trims the path of the socket from the URL path.
|
|
// This is done because req.URL passed to your proxied service
|
|
// will have the full path of the socket file prefixed to it.
|
|
// Calling /test on a server that proxies requests to
|
|
// unix:/var/run/www.socket will thus set the requested path
|
|
// to /var/run/www.socket/test, rendering paths useless.
|
|
if target.Scheme == "unix" {
|
|
// See comment on socketDial for the trim
|
|
socketPrefix := target.String()[len("unix://"):]
|
|
req.URL.Path = strings.TrimPrefix(req.URL.Path, socketPrefix)
|
|
}
|
|
// We are then safe to remove the `without` prefix.
|
|
if without != "" {
|
|
req.URL.Path = strings.TrimPrefix(req.URL.Path, without)
|
|
}
|
|
}
|
|
rp := &ReverseProxy{Director: director, FlushInterval: 250 * time.Millisecond} // flushing good for streaming & server-sent events
|
|
if target.Scheme == "unix" {
|
|
rp.Transport = &http.Transport{
|
|
Dial: socketDial(target.String()),
|
|
}
|
|
}
|
|
return rp
|
|
}
|
|
|
|
func copyHeader(dst, src http.Header) {
|
|
for k, vv := range src {
|
|
for _, v := range vv {
|
|
dst.Add(k, v)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Hop-by-hop headers. These are removed when sent to the backend.
|
|
// http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html
|
|
var hopHeaders = []string{
|
|
"Connection",
|
|
"Keep-Alive",
|
|
"Proxy-Authenticate",
|
|
"Proxy-Authorization",
|
|
"Te", // canonicalized version of "TE"
|
|
"Trailers",
|
|
"Transfer-Encoding",
|
|
"Upgrade",
|
|
}
|
|
|
|
// InsecureTransport is used to facilitate HTTPS proxying
|
|
// when it is OK for upstream to be using a bad certificate,
|
|
// since this transport skips verification.
|
|
var InsecureTransport http.RoundTripper = &http.Transport{
|
|
Proxy: http.ProxyFromEnvironment,
|
|
Dial: (&net.Dialer{
|
|
Timeout: 30 * time.Second,
|
|
KeepAlive: 30 * time.Second,
|
|
}).Dial,
|
|
TLSHandshakeTimeout: 10 * time.Second,
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
}
|
|
|
|
type respUpdateFn func(resp *http.Response)
|
|
|
|
func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, outreq *http.Request, respUpdateFn respUpdateFn) error {
|
|
transport := p.Transport
|
|
if transport == nil {
|
|
transport = http.DefaultTransport
|
|
}
|
|
|
|
p.Director(outreq)
|
|
outreq.Proto = "HTTP/1.1"
|
|
outreq.ProtoMajor = 1
|
|
outreq.ProtoMinor = 1
|
|
outreq.Close = false
|
|
|
|
res, err := transport.RoundTrip(outreq)
|
|
if err != nil {
|
|
return err
|
|
} else if respUpdateFn != nil {
|
|
respUpdateFn(res)
|
|
}
|
|
|
|
if res.StatusCode == http.StatusSwitchingProtocols && strings.ToLower(res.Header.Get("Upgrade")) == "websocket" {
|
|
res.Body.Close()
|
|
hj, ok := rw.(http.Hijacker)
|
|
if !ok {
|
|
return nil
|
|
}
|
|
|
|
conn, _, err := hj.Hijack()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer conn.Close()
|
|
|
|
backendConn, err := net.Dial("tcp", outreq.URL.Host)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer backendConn.Close()
|
|
|
|
outreq.Write(backendConn)
|
|
|
|
go func() {
|
|
io.Copy(backendConn, conn) // write tcp stream to backend.
|
|
}()
|
|
io.Copy(conn, backendConn) // read tcp stream from backend.
|
|
} else {
|
|
defer res.Body.Close()
|
|
for _, h := range hopHeaders {
|
|
res.Header.Del(h)
|
|
}
|
|
copyHeader(rw.Header(), res.Header)
|
|
rw.WriteHeader(res.StatusCode)
|
|
p.copyResponse(rw, res.Body)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (p *ReverseProxy) copyResponse(dst io.Writer, src io.Reader) {
|
|
if p.FlushInterval != 0 {
|
|
if wf, ok := dst.(writeFlusher); ok {
|
|
mlw := &maxLatencyWriter{
|
|
dst: wf,
|
|
latency: p.FlushInterval,
|
|
done: make(chan bool),
|
|
}
|
|
go mlw.flushLoop()
|
|
defer mlw.stop()
|
|
dst = mlw
|
|
}
|
|
}
|
|
io.Copy(dst, src)
|
|
}
|
|
|
|
type writeFlusher interface {
|
|
io.Writer
|
|
http.Flusher
|
|
}
|
|
|
|
type maxLatencyWriter struct {
|
|
dst writeFlusher
|
|
latency time.Duration
|
|
|
|
lk sync.Mutex // protects Write + Flush
|
|
done chan bool
|
|
}
|
|
|
|
func (m *maxLatencyWriter) Write(p []byte) (int, error) {
|
|
m.lk.Lock()
|
|
defer m.lk.Unlock()
|
|
return m.dst.Write(p)
|
|
}
|
|
|
|
func (m *maxLatencyWriter) flushLoop() {
|
|
t := time.NewTicker(m.latency)
|
|
defer t.Stop()
|
|
for {
|
|
select {
|
|
case <-m.done:
|
|
if onExitFlushLoop != nil {
|
|
onExitFlushLoop()
|
|
}
|
|
return
|
|
case <-t.C:
|
|
m.lk.Lock()
|
|
m.dst.Flush()
|
|
m.lk.Unlock()
|
|
}
|
|
}
|
|
}
|
|
|
|
func (m *maxLatencyWriter) stop() { m.done <- true }
|