internal/httpproxy/auth.go

package httpproxy

import (
	"encoding/base64"
	"net/http"
	"strings"
)

func (h *handler) isAuthorized(responseWriter http.ResponseWriter, request *http.Request) (authorized bool) {
	if len(h.username) == 0 || (request.Method != "CONNECT" && !request.URL.IsAbs()) {
		return true
	}
	basicAuth := request.Header.Get("Proxy-Authorization")
	if len(basicAuth) == 0 {
		h.logger.Info("Proxy-Authorization header not found from %s", request.RemoteAddr)
		responseWriter.Header().Set("Proxy-Authenticate", `Basic realm="Access to Gluetun over HTTP"`)
		responseWriter.WriteHeader(http.StatusProxyAuthRequired)
		return false
	}
	b64UsernamePassword := strings.TrimPrefix(basicAuth, "Basic ")
	b, err := base64.StdEncoding.DecodeString(b64UsernamePassword)
	if err != nil {
		h.logger.Info("Cannot decode Proxy-Authorization header value from %s: %s",
			request.RemoteAddr, err.Error())
		responseWriter.WriteHeader(http.StatusUnauthorized)
		return false
	}
	usernamePassword := strings.Split(string(b), ":")
	const expectedFields = 2
	if len(usernamePassword) != expectedFields {
		responseWriter.WriteHeader(http.StatusBadRequest)
		return false
	}
	if h.username != usernamePassword[0] || h.password != usernamePassword[1] {
		h.logger.Info("Username or password mismatch from %s", request.RemoteAddr)
		h.logger.Debug("username provided %q and password provided %q", usernamePassword[0], usernamePassword[1])
		responseWriter.WriteHeader(http.StatusUnauthorized)
		return false
	}
	return true
}
HTTP proxy written in Go to replace Tinyproxy (#269) 2020-10-31 21:50:31 -04:00			`package httpproxy`

			`import (`
			`"encoding/base64"`
			`"net/http"`
			`"strings"`
			`)`

HTTP proxy authentication fixes (#300) - Only accepts HTTP 1.x protocols - Only checks the credentials when the method is `CONNECT` or the request URL is absolute - More logging on authorization failures - Removes the authorization headers before forwarding the HTTP(s) requests - Refers to #298 2020-12-01 22:29:31 -05:00			`func (h handler) isAuthorized(responseWriter http.ResponseWriter, request http.Request) (authorized bool) {`
			`if len(h.username) == 0 \|\| (request.Method != "CONNECT" && !request.URL.IsAbs()) {`
			`return true`
			`}`
HTTP proxy written in Go to replace Tinyproxy (#269) 2020-10-31 21:50:31 -04:00			`basicAuth := request.Header.Get("Proxy-Authorization")`
			`if len(basicAuth) == 0 {`
HTTP proxy authentication fixes (#300) - Only accepts HTTP 1.x protocols - Only checks the credentials when the method is `CONNECT` or the request URL is absolute - More logging on authorization failures - Removes the authorization headers before forwarding the HTTP(s) requests - Refers to #298 2020-12-01 22:29:31 -05:00			`h.logger.Info("Proxy-Authorization header not found from %s", request.RemoteAddr)`
Fix #298 2020-11-13 01:14:05 +00:00			responseWriter.Header().Set("Proxy-Authenticate", `Basic realm="Access to Gluetun over HTTP"`)
HTTP proxy written in Go to replace Tinyproxy (#269) 2020-10-31 21:50:31 -04:00			`responseWriter.WriteHeader(http.StatusProxyAuthRequired)`
			`return false`
			`}`
			`b64UsernamePassword := strings.TrimPrefix(basicAuth, "Basic ")`
			`b, err := base64.StdEncoding.DecodeString(b64UsernamePassword)`
			`if err != nil {`
HTTP proxy authentication fixes (#300) - Only accepts HTTP 1.x protocols - Only checks the credentials when the method is `CONNECT` or the request URL is absolute - More logging on authorization failures - Removes the authorization headers before forwarding the HTTP(s) requests - Refers to #298 2020-12-01 22:29:31 -05:00			`h.logger.Info("Cannot decode Proxy-Authorization header value from %s: %s",`
			`request.RemoteAddr, err.Error())`
HTTP proxy written in Go to replace Tinyproxy (#269) 2020-10-31 21:50:31 -04:00			`responseWriter.WriteHeader(http.StatusUnauthorized)`
			`return false`
			`}`
			`usernamePassword := strings.Split(string(b), ":")`
			`const expectedFields = 2`
			`if len(usernamePassword) != expectedFields {`
			`responseWriter.WriteHeader(http.StatusBadRequest)`
			`return false`
			`}`
HTTP proxy authentication fixes (#300) - Only accepts HTTP 1.x protocols - Only checks the credentials when the method is `CONNECT` or the request URL is absolute - More logging on authorization failures - Removes the authorization headers before forwarding the HTTP(s) requests - Refers to #298 2020-12-01 22:29:31 -05:00			`if h.username != usernamePassword[0] \|\| h.password != usernamePassword[1] {`
			`h.logger.Info("Username or password mismatch from %s", request.RemoteAddr)`
			`h.logger.Debug("username provided %q and password provided %q", usernamePassword[0], usernamePassword[1])`
HTTP proxy written in Go to replace Tinyproxy (#269) 2020-10-31 21:50:31 -04:00			`responseWriter.WriteHeader(http.StatusUnauthorized)`
			`return false`
			`}`
			`return true`
			`}`