proxy: check ALLOWED_HOSTS only for client requests (#6328)

This feature is only intended to identify misdirected browser requests.
The other routes are called by services/tools which will not necessarily
set the 'Host' header and thus break.

Co-authored-by: Adrian Richter <adrian@intevation.de>
This commit is contained in:
peb-adr 2022-01-12 17:11:21 +01:00 committed by GitHub
parent 670bbdba5a
commit ff13c99818
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 30 deletions

View File

@ -24,27 +24,6 @@
"listen": [":8000"],
"allow_h2c": true,
"routes": [
{
"handle": [
{
"body": "Misdirected Request",
"close": true,
"handler": "static_response",
"status_code": 421
}
],
"match": [
{
"not": [
{
"header": {
"Host": []
}
}
]
}
]
},
{
"handle": [
{
@ -149,6 +128,23 @@
}
]
},
{
"handle": [
{
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "$VOTE_HOST:$VOTE_PORT"
}
]
}
],
"match": [
{
"path": ["/system/vote*"]
}
]
},
{
"handle": [
{
@ -176,17 +172,21 @@
{
"handle": [
{
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "$VOTE_HOST:$VOTE_PORT"
}
]
"body": "Misdirected Request",
"close": true,
"handler": "static_response",
"status_code": 421
}
],
"match": [
{
"path": ["/system/vote*"]
"not": [
{
"header": {
"Host": []
}
}
]
}
]
},

View File

@ -57,10 +57,10 @@ fi
### ALLOWED HOSTS ###
if [ -n "$ALLOWED_HOSTS" ]; then
for host in $ALLOWED_HOSTS; do
jq_write ".apps.http.servers.srv0.routes[0].match[0].not[0].header.Host += [\"$host\"]"
jq_write ".apps.http.servers.srv0.routes[-2].match[0].not[0].header.Host += [\"$host\"]"
done
else
jq_write "del(.apps.http.servers.srv0.routes[0])"
jq_write "del(.apps.http.servers.srv0.routes[-2])"
fi
exec "$@"