You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by to...@apache.org on 2021/05/17 13:24:09 UTC
[apisix] branch master updated: feat: avoid overriding customized
X-Forwarded-Proto header (#4260)
This is an automated email from the ASF dual-hosted git repository.
tokers pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 5d58dac feat: avoid overriding customized X-Forwarded-Proto header (#4260)
5d58dac is described below
commit 5d58dacaa8d279ae9ec6e061800b771b8a49e5e1
Author: 罗泽轩 <sp...@gmail.com>
AuthorDate: Mon May 17 21:23:56 2021 +0800
feat: avoid overriding customized X-Forwarded-Proto header (#4260)
Close #4252
Signed-off-by: spacewander <sp...@gmail.com>
---
apisix/cli/ngx_tpl.lua | 3 --
apisix/core/ctx.lua | 2 ++
apisix/init.lua | 12 +++++++-
t/APISIX.pm | 25 +++++++++++++++++
t/lib/server.lua | 11 +++++++-
t/plugin/proxy-rewrite2.t | 71 +++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 119 insertions(+), 5 deletions(-)
diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua
index d0c3b32..99cde87 100644
--- a/apisix/cli/ngx_tpl.lua
+++ b/apisix/cli/ngx_tpl.lua
@@ -531,9 +531,6 @@ http {
if ($http_x_forwarded_for != "") {
set $var_x_forwarded_for "${http_x_forwarded_for}, ${realip_remote_addr}";
}
- if ($http_x_forwarded_proto != "") {
- set $var_x_forwarded_proto $http_x_forwarded_proto;
- }
if ($http_x_forwarded_host != "") {
set $var_x_forwarded_host $http_x_forwarded_host;
}
diff --git a/apisix/core/ctx.lua b/apisix/core/ctx.lua
index 5373942..4018180 100644
--- a/apisix/core/ctx.lua
+++ b/apisix/core/ctx.lua
@@ -128,6 +128,8 @@ do
upstream_no_cache = true,
upstream_cache_key = true,
upstream_cache_bypass = true,
+
+ var_x_forwarded_proto = true,
}
local mt = {
diff --git a/apisix/init.lua b/apisix/init.lua
index 3185b63..3c395ee 100644
--- a/apisix/init.lua
+++ b/apisix/init.lua
@@ -251,6 +251,16 @@ local function set_upstream_host(api_ctx, picked_server)
end
+local function set_upstream_headers(api_ctx, picked_server)
+ set_upstream_host(api_ctx, picked_server)
+
+ local hdr = core.request.header(api_ctx, "X-Forwarded-Proto")
+ if hdr then
+ api_ctx.var.var_x_forwarded_proto = hdr
+ end
+end
+
+
local function get_upstream_by_id(up_id)
local upstreams = core.config.fetch_created_obj("/upstreams")
if upstreams then
@@ -474,7 +484,7 @@ function _M.http_access_phase()
api_ctx.picked_server = server
- set_upstream_host(api_ctx, server)
+ set_upstream_headers(api_ctx, server)
ngx_var.ctx_ref = ctxdump.stash_ngx_ctx()
local up_scheme = api_ctx.upstream_scheme
diff --git a/t/APISIX.pm b/t/APISIX.pm
index 388ade9..3bd44b3 100644
--- a/t/APISIX.pm
+++ b/t/APISIX.pm
@@ -377,6 +377,8 @@ _EOC_
error_page 500 \@50x.html;
+ variables_hash_bucket_size 128;
+
upstream apisix_backend {
server 0.0.0.1;
balancer_by_lua_block {
@@ -583,6 +585,29 @@ _EOC_
proxy_set_header Connection \$upstream_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_pass_header Date;
+
+ ### the following x-forwarded-* headers is to send to upstream server
+
+ set \$var_x_forwarded_for \$remote_addr;
+ set \$var_x_forwarded_proto \$scheme;
+ set \$var_x_forwarded_host \$host;
+ set \$var_x_forwarded_port \$server_port;
+
+ if (\$http_x_forwarded_for != "") {
+ set \$var_x_forwarded_for "\${http_x_forwarded_for}, \${realip_remote_addr}";
+ }
+ if (\$http_x_forwarded_host != "") {
+ set \$var_x_forwarded_host \$http_x_forwarded_host;
+ }
+ if (\$http_x_forwarded_port != "") {
+ set \$var_x_forwarded_port \$http_x_forwarded_port;
+ }
+
+ proxy_set_header X-Forwarded-For \$var_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto \$var_x_forwarded_proto;
+ proxy_set_header X-Forwarded-Host \$var_x_forwarded_host;
+ proxy_set_header X-Forwarded-Port \$var_x_forwarded_port;
+
proxy_pass \$upstream_scheme://apisix_backend\$upstream_uri;
mirror /proxy_mirror;
diff --git a/t/lib/server.lua b/t/lib/server.lua
index 984886e..149ed4b 100644
--- a/t/lib/server.lua
+++ b/t/lib/server.lua
@@ -134,6 +134,13 @@ function _M.ewma()
end
+local builtin_hdr_ignore_list = {
+ ["x-forwarded-for"] = true,
+ ["x-forwarded-proto"] = true,
+ ["x-forwarded-host"] = true,
+ ["x-forwarded-port"] = true,
+}
+
function _M.uri()
-- ngx.sleep(1)
ngx.say("uri: ", ngx.var.uri)
@@ -141,7 +148,9 @@ function _M.uri()
local keys = {}
for k in pairs(headers) do
- table.insert(keys, k)
+ if not builtin_hdr_ignore_list[k] then
+ table.insert(keys, k)
+ end
end
table.sort(keys)
diff --git a/t/plugin/proxy-rewrite2.t b/t/plugin/proxy-rewrite2.t
index 5045792..e3d1b7b 100644
--- a/t/plugin/proxy-rewrite2.t
+++ b/t/plugin/proxy-rewrite2.t
@@ -104,3 +104,74 @@ serverless []
uri: /plugin_proxy_rewrite
host: localhost
scheme: http
+
+
+
+=== TEST 3: default X-Forwarded-Proto
+--- apisix_yaml
+routes:
+ -
+ id: 1
+ uri: /echo
+ upstream_id: 1
+upstreams:
+ -
+ id: 1
+ nodes:
+ "127.0.0.1:1980": 1
+ type: roundrobin
+#END
+--- request
+GET /echo
+--- response_headers
+X-Forwarded-Proto: http
+
+
+
+=== TEST 4: pass X-Forwarded-Proto
+--- apisix_yaml
+routes:
+ -
+ id: 1
+ uri: /echo
+ upstream_id: 1
+upstreams:
+ -
+ id: 1
+ nodes:
+ "127.0.0.1:1980": 1
+ type: roundrobin
+#END
+--- request
+GET /echo
+--- more_headers
+X-Forwarded-Proto: https
+--- response_headers
+X-Forwarded-Proto: https
+
+
+
+=== TEST 5: customize X-Forwarded-Proto
+--- apisix_yaml
+routes:
+ -
+ id: 1
+ uri: /echo
+ plugins:
+ proxy-rewrite:
+ headers:
+ X-Forwarded-Proto: https
+ upstream_id: 1
+upstreams:
+ -
+ id: 1
+ nodes:
+ "127.0.0.1:1980": 1
+ type: roundrobin
+#END
+--- request
+GET /echo
+--- more_headers
+X-Forwarded-Proto: grpc
+--- response_headers
+X-Forwarded-Proto: https