proxy: check ALLOWED_HOSTS only for client requests (#6328)

This feature is only intended to identify misdirected browser requests.
The other routes are called by services/tools which will not necessarily
set the 'Host' header and thus break.

Co-authored-by: Adrian Richter <adrian@intevation.de>
This commit is contained in:
peb-adr 2022-01-12 17:11:21 +01:00 committed by GitHub
parent 670bbdba5a
commit ff13c99818
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 30 deletions

View File

@ -24,27 +24,6 @@
"listen": [":8000"], "listen": [":8000"],
"allow_h2c": true, "allow_h2c": true,
"routes": [ "routes": [
{
"handle": [
{
"body": "Misdirected Request",
"close": true,
"handler": "static_response",
"status_code": 421
}
],
"match": [
{
"not": [
{
"header": {
"Host": []
}
}
]
}
]
},
{ {
"handle": [ "handle": [
{ {
@ -149,6 +128,23 @@
} }
] ]
}, },
{
"handle": [
{
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "$VOTE_HOST:$VOTE_PORT"
}
]
}
],
"match": [
{
"path": ["/system/vote*"]
}
]
},
{ {
"handle": [ "handle": [
{ {
@ -176,17 +172,21 @@
{ {
"handle": [ "handle": [
{ {
"handler": "reverse_proxy", "body": "Misdirected Request",
"upstreams": [ "close": true,
{ "handler": "static_response",
"dial": "$VOTE_HOST:$VOTE_PORT" "status_code": 421
}
]
} }
], ],
"match": [ "match": [
{ {
"path": ["/system/vote*"] "not": [
{
"header": {
"Host": []
}
}
]
} }
] ]
}, },

View File

@ -57,10 +57,10 @@ fi
### ALLOWED HOSTS ### ### ALLOWED HOSTS ###
if [ -n "$ALLOWED_HOSTS" ]; then if [ -n "$ALLOWED_HOSTS" ]; then
for host in $ALLOWED_HOSTS; do for host in $ALLOWED_HOSTS; do
jq_write ".apps.http.servers.srv0.routes[0].match[0].not[0].header.Host += [\"$host\"]" jq_write ".apps.http.servers.srv0.routes[-2].match[0].not[0].header.Host += [\"$host\"]"
done done
else else
jq_write "del(.apps.http.servers.srv0.routes[0])" jq_write "del(.apps.http.servers.srv0.routes[-2])"
fi fi
exec "$@" exec "$@"