admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HTTP proxy authentication fixes (#300)

Browse Source 
- Only accepts HTTP 1.x protocols
- Only checks the credentials when the method is `CONNECT` or the request URL is absolute
- More logging on authorization failures
- Removes the authorization headers before forwarding the HTTP(s) requests
- Refers to #298
This commit is contained in:
Quentin McGaw
2020-12-01 22:29:31 -05:00
committed by GitHub
parent fb62910b17
commit 84944a87d3
3 changed files with 41 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/httpproxy/auth.go
View File

@@ -6,10 +6,13 @@ import (
"strings"
)
func isAuthorized(responseWriter http.ResponseWriter, request *http.Request,
username, password string) (authorized bool) {
func (h *handler) isAuthorized(responseWriter http.ResponseWriter, request *http.Request) (authorized bool) {
if len(h.username) == 0 || (request.Method != "CONNECT" && !request.URL.IsAbs()) {
return true
}
basicAuth := request.Header.Get("Proxy-Authorization")
if len(basicAuth) == 0 {
h.logger.Info("Proxy-Authorization header not found from %s", request.RemoteAddr)
responseWriter.Header().Set("Proxy-Authenticate", `Basic realm="Access to Gluetun over HTTP"`)
responseWriter.WriteHeader(http.StatusProxyAuthRequired)
return false
@@ -17,6 +20,8 @@ func isAuthorized(responseWriter http.ResponseWriter, request *http.Request,
b64UsernamePassword := strings.TrimPrefix(basicAuth, "Basic ")
b, err := base64.StdEncoding.DecodeString(b64UsernamePassword)
if err != nil {
h.logger.Info("Cannot decode Proxy-Authorization header value from %s: %s",
request.RemoteAddr, err.Error())
responseWriter.WriteHeader(http.StatusUnauthorized)
return false
}
@@ -26,7 +31,9 @@ func isAuthorized(responseWriter http.ResponseWriter, request *http.Request,
responseWriter.WriteHeader(http.StatusBadRequest)
return false
}
if username != usernamePassword[0] && password != usernamePassword[1] {
if h.username != usernamePassword[0] || h.password != usernamePassword[1] {
h.logger.Info("Username or password mismatch from %s", request.RemoteAddr)
h.logger.Debug("username provided %q and password provided %q", usernamePassword[0], usernamePassword[1])
responseWriter.WriteHeader(http.StatusUnauthorized)
return false
}