Remove X-Forwarded-Uri and X-Forwarded-Method from untrusted IP

This commit is contained in:
stffabi
2018-11-12 17:06:04 +01:00
committed by Traefiker Bot
parent 9b0586cba7
commit b889b0191c
2 changed files with 34 additions and 12 deletions

View File

@@ -7,6 +7,12 @@ import (
"github.com/containous/traefik/log"
"github.com/containous/traefik/whitelist"
"github.com/vulcand/oxy/forward"
"github.com/vulcand/oxy/utils"
)
const (
xForwardedURI = "X-Forwarded-Uri"
xForwardedMethod = "X-Forwarded-Method"
)
// NewHeaderRewriter Create a header rewriter
@@ -45,6 +51,8 @@ func (h *headerRewriter) Rewrite(req *http.Request) {
err := h.ips.IsAuthorized(req)
if err != nil {
log.Debug(err)
// Remove additional X-Forwarded Headers which are used by the forward authentication
utils.RemoveHeaders(req.Header, xForwardedURI, xForwardedMethod)
h.secureRewriter.Rewrite(req)
return
}