-
-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: decision API copies X-Forwarded-Method to incoming requests which breaks traefik forward auth for HEAD requests #1046
base: master
Are you sure you want to change the base?
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1046 +/- ##
==========================================
- Coverage 78.16% 77.60% -0.57%
==========================================
Files 80 79 -1
Lines 3898 4014 +116
==========================================
+ Hits 3047 3115 +68
- Misses 576 618 +42
- Partials 275 281 +6
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)
api/decision.go
Outdated
// This is nevessary because the middleware would otherwise use e.g. the method from "X-Forwarded-Method" for the response | ||
// although the original request had another method, which leads to problem with the HEAD method. | ||
// For more information see: https://github.com/thomseddon/traefik-forward-auth/issues/156 | ||
forwardedReq := &http.Request{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to clone the request using r.Clone()
. If we don't, information is missing that is needed in the decisions function:
- context is missing
- body is missing
- tls information is missing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I updated it
@aeneasr are there any more changes required or can this be merged? |
This is still an issue it seems. Any updates?! |
Currently oathkeeper cannot handle HEAD requests from traefik Forward Auth middleware, because oathkeeper copies the forwarded method into the incoming request. With this fix HEAD requests now also work.
Related issue(s)
Currently when using the oathkeeper decision API together with traefik forward auth, HEAD requests cannot be handled currectly and will result in a timeout on the traefik side. This is because oathkeeper replaces the method of the incoming request with the method in the
X-Forwarded-Method
header and because HEAD requests must not contain a body it will not be written by go (https://github.com/golang/go/blob/9123221ccf3c80c741ead5b6f2e960573b1676b9/src/net/http/server.go#L377). But as traefik sends aGET
requests for forward auth it expects a body back (https://github.com/traefik/traefik/blob/e54ee89330a800d509da7b11b46a6ecbb331e791/pkg/middlewares/auth/forward.go#L129), therefore traefik times out, as no body is sent by oathkeeper.Reproduce
Although not the simplest setup, this is how I noticed this bug:
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments
For a more in depth writeup of the problem: thomseddon/traefik-forward-auth#156