X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f159fab8f9d6bc4254192ce43432defd5bd400aa..972b62e2bb581832cb7cfafce71e3cc6794e4361:/lib/controller/proxy.go diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go index 712071bef9..26d1859ec8 100644 --- a/lib/controller/proxy.go +++ b/lib/controller/proxy.go @@ -5,34 +5,61 @@ package controller import ( - "context" "io" "net/http" "net/url" - "time" - "git.curoverse.com/arvados.git/sdk/go/httpserver" + "git.arvados.org/arvados.git/sdk/go/httpserver" ) type proxy struct { - Name string // to use in Via header - RequestTimeout time.Duration + Name string // to use in Via header +} + +type HTTPError struct { + Message string + Code int +} + +func (h HTTPError) Error() string { + return h.Message } -// headers that shouldn't be forwarded when proxying. See -// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers var dropHeaders = map[string]bool{ + // Headers that shouldn't be forwarded when proxying. See + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers "Connection": true, "Keep-Alive": true, "Proxy-Authenticate": true, "Proxy-Authorization": true, - "TE": true, - "Trailer": true, + // (comment/space here makes gofmt1.10 agree with gofmt1.11) + "TE": true, + "Trailer": true, + "Upgrade": true, + + // Headers that would interfere with Go's automatic + // compression/decompression if we forwarded them. + "Accept-Encoding": true, + "Content-Encoding": true, "Transfer-Encoding": true, - "Upgrade": true, + + // Content-Length depends on encoding. + "Content-Length": true, + + // Defend against Rails vulnerability CVE-2023-22795 - + // we don't use this functionality anyway, so it costs us nothing. + // + "If-None-Match": true, } -func (p *proxy) Do(w http.ResponseWriter, reqIn *http.Request, urlOut *url.URL, client *http.Client) { +type ResponseFilter func(*http.Response, error) (*http.Response, error) + +// Forward a request to upstream service, and return response or error. +func (p *proxy) Do( + reqIn *http.Request, + urlOut *url.URL, + client *http.Client) (*http.Response, error) { + // Copy headers from incoming request, then add/replace proxy // headers like Via and X-Forwarded-For. hdrOut := http.Header{} @@ -41,43 +68,46 @@ func (p *proxy) Do(w http.ResponseWriter, reqIn *http.Request, urlOut *url.URL, hdrOut[k] = v } } - xff := reqIn.RemoteAddr - if xffIn := reqIn.Header.Get("X-Forwarded-For"); xffIn != "" { - xff = xffIn + "," + xff + xff := "" + for _, xffIn := range reqIn.Header["X-Forwarded-For"] { + if xffIn != "" { + xff += xffIn + "," + } } + xff += reqIn.RemoteAddr hdrOut.Set("X-Forwarded-For", xff) if hdrOut.Get("X-Forwarded-Proto") == "" { hdrOut.Set("X-Forwarded-Proto", reqIn.URL.Scheme) } hdrOut.Add("Via", reqIn.Proto+" arvados-controller") - ctx := reqIn.Context() - if p.RequestTimeout > 0 { - var cancel context.CancelFunc - ctx, cancel = context.WithDeadline(ctx, time.Now().Add(time.Duration(p.RequestTimeout))) - defer cancel() - } - reqOut := (&http.Request{ Method: reqIn.Method, URL: urlOut, Host: reqIn.Host, Header: hdrOut, Body: reqIn.Body, - }).WithContext(ctx) - resp, err := client.Do(reqOut) + }).WithContext(reqIn.Context()) + return client.Do(reqOut) +} + +// Copy a response (or error) to the downstream client +func (p *proxy) ForwardResponse(w http.ResponseWriter, resp *http.Response, err error) (int64, error) { if err != nil { - httpserver.Error(w, err.Error(), http.StatusBadGateway) - return + if he, ok := err.(HTTPError); ok { + httpserver.Error(w, he.Message, he.Code) + } else { + httpserver.Error(w, err.Error(), http.StatusBadGateway) + } + return 0, nil } + + defer resp.Body.Close() for k, v := range resp.Header { for _, v := range v { w.Header().Add(k, v) } } w.WriteHeader(resp.StatusCode) - n, err := io.Copy(w, resp.Body) - if err != nil { - httpserver.Logger(reqIn).WithError(err).WithField("bytesCopied", n).Error("error copying response body") - } + return io.Copy(w, resp.Body) }