reverseproxy: Fix double headers in response handlers (#4847)

This commit is contained in:
Francis Lavoie 2022-06-22 15:10:14 -04:00 committed by GitHub
parent 25f10511e7
commit 98468af8b6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 34 additions and 138 deletions

View file

@ -63,32 +63,6 @@ app.example.com {
]
}
]
},
{
"routes": [
{
"handle": [
{
"exclude": [
"Connection",
"Keep-Alive",
"Te",
"Trailers",
"Transfer-Encoding",
"Upgrade"
],
"handler": "copy_response_headers"
}
]
},
{
"handle": [
{
"handler": "copy_response"
}
]
}
]
}
],
"handler": "reverse_proxy",

View file

@ -55,32 +55,6 @@ forward_auth localhost:9000 {
]
}
]
},
{
"routes": [
{
"handle": [
{
"exclude": [
"Connection",
"Keep-Alive",
"Te",
"Trailers",
"Transfer-Encoding",
"Upgrade"
],
"handler": "copy_response_headers"
}
]
},
{
"handle": [
{
"handler": "copy_response"
}
]
}
]
}
],
"handler": "reverse_proxy",

View file

@ -80,7 +80,7 @@ func (h CopyResponseHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request
hrc.isFinalized = true
// write the response
return hrc.handler.finalizeResponse(rw, req, hrc.response, repl, hrc.start, hrc.logger, false)
return hrc.handler.finalizeResponse(rw, req, hrc.response, repl, hrc.start, hrc.logger)
}
// CopyResponseHeadersHandler is a special HTTP handler which may

View file

@ -59,13 +59,6 @@ func init() {
// Remote-Email {http.reverse_proxy.header.Remote-Email}
// }
// }
//
// handle_response {
// copy_response_headers {
// exclude Connection Keep-Alive Te Trailers Transfer-Encoding Upgrade
// }
// copy_response
// }
// }
//
func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) {
@ -217,41 +210,13 @@ func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error)
},
)
}
rpHandler.HandleResponse = append(rpHandler.HandleResponse, goodResponseHandler)
// set up handler for denial responses; when a response
// has any other status than 2xx, then we copy the response
// back to the client, and terminate handling.
denialResponseHandler := caddyhttp.ResponseHandler{
Routes: []caddyhttp.Route{
{
HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(
&reverseproxy.CopyResponseHeadersHandler{
Exclude: []string{
"Connection",
"Keep-Alive",
"Te",
"Trailers",
"Transfer-Encoding",
"Upgrade",
},
},
"handler",
"copy_response_headers",
nil,
)},
},
{
HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(
&reverseproxy.CopyResponseHandler{},
"handler",
"copy_response",
nil,
)},
},
},
}
rpHandler.HandleResponse = append(rpHandler.HandleResponse, denialResponseHandler)
// note that when a response has any other status than 2xx, then we
// use the reverse proxy's default behaviour of copying the response
// back to the client, so we don't need to explicitly add a response
// handler specifically for that behaviour; we do need the 2xx handler
// though, to make handling fall through to handlers deeper in the chain.
rpHandler.HandleResponse = append(rpHandler.HandleResponse, goodResponseHandler)
// the rest of the config is specified by the user
// using the reverse_proxy directive syntax

View file

@ -784,18 +784,14 @@ func (h *Handler) reverseProxy(rw http.ResponseWriter, req *http.Request, origRe
res.Body = h.bufferedBody(res.Body)
}
// the response body may get closed by a response handler,
// and we need to keep track to make sure we don't try to copy
// the response if it was already closed
bodyClosed := false
// see if any response handler is configured for this response from the backend
for i, rh := range h.HandleResponse {
if rh.Match != nil && !rh.Match.Match(res.StatusCode, res.Header) {
continue
}
// if configured to only change the status code, do that then continue regular proxy response
// if configured to only change the status code,
// do that then continue regular proxy response
if statusCodeStr := rh.StatusCode.String(); statusCodeStr != "" {
statusCode, err := strconv.Atoi(repl.ReplaceAll(statusCodeStr, ""))
if err != nil {
@ -840,33 +836,29 @@ func (h *Handler) reverseProxy(rw http.ResponseWriter, req *http.Request, origRe
// pass the request through the response handler routes
routeErr := rh.Routes.Compile(next).ServeHTTP(rw, origReq.WithContext(ctx))
// if the response handler routes already finalized the response,
// we can return early. It should be finalized if the routes executed
// included a copy_response handler. If a fresh response was written
// by the routes instead, then we still need to finalize the response
// without copying the body.
if routeErr == nil && hrc.isFinalized {
return nil
// close the response body afterwards, since we don't need it anymore;
// either a route had 'copy_response' which already consumed the body,
// or some other terminal handler ran which doesn't need the response
// body after that point (e.g. 'file_server' for X-Accel-Redirect flow),
// or we fell through to subsequent handlers past this proxy
// (e.g. forward auth's 2xx response flow).
if !hrc.isFinalized {
res.Body.Close()
}
// always close the response body afterwards, since it's expected
// that the response handler routes will have written to the
// response writer with a new body, if it wasn't already finalized.
res.Body.Close()
bodyClosed = true
if routeErr != nil {
// wrap error in roundtripSucceeded so caller knows that
// wrap any route error in roundtripSucceeded so caller knows that
// the roundtrip was successful and to not retry
if routeErr != nil {
return roundtripSucceeded{routeErr}
}
// we've already closed the body, so there's no use allowing
// another response handler to run as well
break
// we're done handling the response, and we don't want to
// fall through to the default finalize/copy behaviour
return nil
}
return h.finalizeResponse(rw, req, res, repl, start, logger, bodyClosed)
// copy the response body and headers back to the upstream client
return h.finalizeResponse(rw, req, res, repl, start, logger)
}
// finalizeResponse prepares and copies the response.
@ -877,7 +869,6 @@ func (h Handler) finalizeResponse(
repl *caddy.Replacer,
start time.Time,
logger *zap.Logger,
bodyClosed bool,
) error {
// deal with 101 Switching Protocols responses: (WebSocket, h2c, etc)
if res.StatusCode == http.StatusSwitchingProtocols {
@ -891,13 +882,6 @@ func (h Handler) finalizeResponse(
res.Header.Del(h)
}
// remove the content length if we're not going to be copying
// from the response, because otherwise there'll be a mismatch
// between bytes written and the advertised length
if bodyClosed {
res.Header.Del("Content-Length")
}
// apply any response header operations
if h.Headers != nil && h.Headers.Response != nil {
if h.Headers.Response.Require == nil ||
@ -920,7 +904,7 @@ func (h Handler) finalizeResponse(
}
rw.WriteHeader(res.StatusCode)
if !bodyClosed {
err := h.copyResponse(rw, res.Body, h.flushInterval(req, res))
res.Body.Close() // close now, instead of defer, to populate res.Trailer
if err != nil {
@ -931,7 +915,6 @@ func (h Handler) finalizeResponse(
h.logger.Error("aborting with incomplete response", zap.Error(err))
return nil
}
}
if len(res.Trailer) > 0 {
// Force chunking if we saw a response trailer.