mirror of
https://github.com/infinite-iroha/touka.git
synced 2026-06-13 15:47:38 +08:00
1017 lines
29 KiB
Go
1017 lines
29 KiB
Go
package touka
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/http/httptrace"
|
|
"net/textproto"
|
|
"net/url"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestReverseProxyForwardingAndHopHeaders(t *testing.T) {
|
|
t.Helper()
|
|
|
|
type backendRequestSnapshot struct {
|
|
Path string
|
|
RawQuery string
|
|
Host string
|
|
Connection string
|
|
RemovedHeader string
|
|
Forwarded string
|
|
XForwardedFor string
|
|
XForwardedHost string
|
|
XForwardedProto string
|
|
Via []string
|
|
TE string
|
|
UserAgent string
|
|
}
|
|
|
|
gotCh := make(chan backendRequestSnapshot, 1)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
gotCh <- backendRequestSnapshot{
|
|
Path: r.URL.Path,
|
|
RawQuery: r.URL.RawQuery,
|
|
Host: r.Host,
|
|
Connection: r.Header.Get("Connection"),
|
|
RemovedHeader: r.Header.Get("X-Remove-Me"),
|
|
Forwarded: r.Header.Get("Forwarded"),
|
|
XForwardedFor: r.Header.Get("X-Forwarded-For"),
|
|
XForwardedHost: r.Header.Get("X-Forwarded-Host"),
|
|
XForwardedProto: r.Header.Get("X-Forwarded-Proto"),
|
|
Via: append([]string(nil), r.Header.Values("Via")...),
|
|
TE: r.Header.Get("Te"),
|
|
UserAgent: r.Header.Get("User-Agent"),
|
|
}
|
|
|
|
w.Header().Set("Connection", "X-Backend-Secret")
|
|
w.Header().Set("X-Backend-Secret", "remove-me")
|
|
w.Header().Add("Via", "1.0 upstream")
|
|
w.Header().Add("Trailer", "X-Upstream-Trailer")
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
_, _ = io.WriteString(w, "proxied")
|
|
w.Header().Set("X-Upstream-Trailer", "done")
|
|
}))
|
|
defer backend.Close()
|
|
|
|
target, err := url.Parse(backend.URL + "/base?from=target")
|
|
if err != nil {
|
|
t.Fatalf("parse target: %v", err)
|
|
}
|
|
|
|
engine := New()
|
|
engine.GET("/api/*path", ReverseProxy(ReverseProxyConfig{
|
|
Target: target,
|
|
ForwardedHeaders: ForwardedBoth,
|
|
ForwardedBy: "_proxy-node",
|
|
Via: "proxy.test",
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://client.example/api/ping?bad=1;smuggle=2&q=2", nil)
|
|
req.Host = "client.example"
|
|
req.RemoteAddr = "198.51.100.10:4567"
|
|
req.Header.Set("Connection", "X-Remove-Me")
|
|
req.Header.Set("X-Remove-Me", "client-secret")
|
|
req.Header.Set("X-Forwarded-For", "203.0.113.9")
|
|
req.Header.Set("X-Forwarded-Host", "edge.example")
|
|
req.Header.Set("X-Forwarded-Proto", "https")
|
|
req.Header.Set("Forwarded", "for=203.0.113.9")
|
|
req.Header.Set("Te", "trailers")
|
|
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
resp := rr.Result()
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Fatalf("read body: %v", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
|
|
var got backendRequestSnapshot
|
|
select {
|
|
case got = <-gotCh:
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("timed out waiting for backend snapshot")
|
|
}
|
|
|
|
if string(body) != "proxied" {
|
|
t.Fatalf("unexpected body: %q", string(body))
|
|
}
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Fatalf("unexpected status: %d", resp.StatusCode)
|
|
}
|
|
if got.Path != "/base/api/ping" {
|
|
t.Fatalf("unexpected upstream path: %q", got.Path)
|
|
}
|
|
if got.RawQuery != "from=target&q=2" {
|
|
t.Fatalf("unexpected upstream raw query: %q", got.RawQuery)
|
|
}
|
|
if got.Host != strings.TrimPrefix(backend.URL, "http://") {
|
|
t.Fatalf("unexpected upstream host: %q", got.Host)
|
|
}
|
|
if got.Connection != "" {
|
|
t.Fatalf("connection header should be stripped, got %q", got.Connection)
|
|
}
|
|
if got.RemovedHeader != "" {
|
|
t.Fatalf("connection-token header should be stripped, got %q", got.RemovedHeader)
|
|
}
|
|
if got.XForwardedFor != "203.0.113.9, 198.51.100.10" {
|
|
t.Fatalf("unexpected X-Forwarded-For: %q", got.XForwardedFor)
|
|
}
|
|
if got.XForwardedHost != "edge.example" {
|
|
t.Fatalf("unexpected X-Forwarded-Host: %q", got.XForwardedHost)
|
|
}
|
|
if got.XForwardedProto != "https" {
|
|
t.Fatalf("unexpected X-Forwarded-Proto: %q", got.XForwardedProto)
|
|
}
|
|
if got.TE != "trailers" {
|
|
t.Fatalf("unexpected TE header: %q", got.TE)
|
|
}
|
|
if got.UserAgent != "" {
|
|
t.Fatalf("expected empty user-agent suppression, got %q", got.UserAgent)
|
|
}
|
|
if !strings.Contains(got.Forwarded, "for=203.0.113.9") {
|
|
t.Fatalf("forwarded header missing prior hop: %q", got.Forwarded)
|
|
}
|
|
if !strings.Contains(got.Forwarded, "for=198.51.100.10") {
|
|
t.Fatalf("forwarded header missing client ip: %q", got.Forwarded)
|
|
}
|
|
if !strings.Contains(got.Forwarded, "by=_proxy-node") {
|
|
t.Fatalf("forwarded header missing by token: %q", got.Forwarded)
|
|
}
|
|
if !strings.Contains(got.Forwarded, "host=client.example") {
|
|
t.Fatalf("forwarded header missing host: %q", got.Forwarded)
|
|
}
|
|
if !strings.Contains(got.Forwarded, "proto=http") {
|
|
t.Fatalf("forwarded header missing proto: %q", got.Forwarded)
|
|
}
|
|
if len(got.Via) != 1 || got.Via[0] != "1.1 proxy.test" {
|
|
t.Fatalf("unexpected upstream Via headers: %#v", got.Via)
|
|
}
|
|
if resp.Header.Get("Connection") != "" {
|
|
t.Fatalf("response connection header should be stripped, got %q", resp.Header.Get("Connection"))
|
|
}
|
|
if resp.Header.Get("X-Backend-Secret") != "" {
|
|
t.Fatalf("response connection-token header should be stripped, got %q", resp.Header.Get("X-Backend-Secret"))
|
|
}
|
|
if gotVia := resp.Header.Values("Via"); len(gotVia) != 2 || gotVia[0] != "1.0 upstream" || gotVia[1] != "1.1 proxy.test" {
|
|
t.Fatalf("unexpected response Via headers: %#v", gotVia)
|
|
}
|
|
if resp.Trailer.Get("X-Upstream-Trailer") != "done" {
|
|
t.Fatalf("unexpected proxied trailer: %q", resp.Trailer.Get("X-Upstream-Trailer"))
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyRejectsInvalidForwardedBy(t *testing.T) {
|
|
t.Helper()
|
|
|
|
engine := New()
|
|
engine.GET("/proxy", ReverseProxy(ReverseProxyConfig{
|
|
Target: mustParseURL(t, "http://example.com"),
|
|
ForwardedHeaders: ForwardedBoth,
|
|
ForwardedBy: "proxy-node",
|
|
}))
|
|
|
|
rr := PerformRequest(engine, http.MethodGet, "/proxy", nil, nil)
|
|
if rr.Code != http.StatusInternalServerError {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyForwardedByTrimsWhitespace(t *testing.T) {
|
|
t.Helper()
|
|
|
|
forwardedCh := make(chan string, 1)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
forwardedCh <- r.Header.Get("Forwarded")
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}))
|
|
defer backend.Close()
|
|
|
|
engine := New()
|
|
engine.GET("/proxy", ReverseProxy(ReverseProxyConfig{
|
|
Target: mustParseURL(t, backend.URL),
|
|
ForwardedHeaders: ForwardedBoth,
|
|
ForwardedBy: " _proxy-node ",
|
|
}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://client.example/proxy", nil)
|
|
req.RemoteAddr = "198.51.100.10:4567"
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusNoContent {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
|
|
select {
|
|
case forwarded := <-forwardedCh:
|
|
if !strings.Contains(forwarded, "by=_proxy-node") {
|
|
t.Fatalf("unexpected Forwarded header: %q", forwarded)
|
|
}
|
|
if strings.Contains(forwarded, `by=" _proxy-node "`) {
|
|
t.Fatalf("forwarded header should not preserve surrounding whitespace: %q", forwarded)
|
|
}
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("timed out waiting for backend Forwarded header")
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyDefaultViaFallback(t *testing.T) {
|
|
t.Helper()
|
|
|
|
viaCh := make(chan []string, 1)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
viaCh <- append([]string(nil), r.Header.Values("Via")...)
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}))
|
|
defer backend.Close()
|
|
|
|
target, err := url.Parse(backend.URL)
|
|
if err != nil {
|
|
t.Fatalf("parse target: %v", err)
|
|
}
|
|
|
|
engine := New()
|
|
engine.GET("/proxy", ReverseProxy(ReverseProxyConfig{Target: target}))
|
|
|
|
rr := PerformRequest(engine, http.MethodGet, "/proxy", nil, nil)
|
|
if rr.Code != http.StatusNoContent {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
|
|
select {
|
|
case via := <-viaCh:
|
|
if len(via) != 1 || via[0] != "1.1 touka-engine" {
|
|
t.Fatalf("unexpected default Via header: %#v", via)
|
|
}
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("timed out waiting for backend Via header")
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyCustomErrorHandler(t *testing.T) {
|
|
t.Helper()
|
|
|
|
engine := New()
|
|
target, err := url.Parse("http://127.0.0.1:1")
|
|
if err != nil {
|
|
t.Fatalf("parse target: %v", err)
|
|
}
|
|
|
|
engine.GET("/proxy", ReverseProxy(ReverseProxyConfig{
|
|
Target: target,
|
|
ErrorHandler: func(w http.ResponseWriter, _ *http.Request, err error) {
|
|
w.WriteHeader(http.StatusGatewayTimeout)
|
|
_, _ = io.WriteString(w, fmt.Sprintf("proxy failure: %v", err))
|
|
},
|
|
}))
|
|
|
|
rr := PerformRequest(engine, http.MethodGet, "/proxy", nil, nil)
|
|
if rr.Code != http.StatusGatewayTimeout {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
if !strings.Contains(rr.Body.String(), "proxy failure:") {
|
|
t.Fatalf("unexpected body: %q", rr.Body.String())
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyTimeoutReturnsGatewayTimeout(t *testing.T) {
|
|
t.Helper()
|
|
|
|
engine := New()
|
|
engine.GET("/proxy", ReverseProxy(ReverseProxyConfig{
|
|
Target: mustParseURL(t, "http://example.com"),
|
|
Transport: roundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
|
return nil, context.DeadlineExceeded
|
|
}),
|
|
}))
|
|
|
|
rr := PerformRequest(engine, http.MethodGet, "/proxy", nil, nil)
|
|
if rr.Code != http.StatusGatewayTimeout {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyUnannouncedTrailerForwarding(t *testing.T) {
|
|
t.Helper()
|
|
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set(http.TrailerPrefix+"X-Unannounced-Trailer", "later")
|
|
w.WriteHeader(http.StatusOK)
|
|
_, _ = io.WriteString(w, "streamed")
|
|
}))
|
|
defer backend.Close()
|
|
|
|
target, err := url.Parse(backend.URL)
|
|
if err != nil {
|
|
t.Fatalf("parse target: %v", err)
|
|
}
|
|
|
|
engine := New()
|
|
engine.GET("/trailers", ReverseProxy(ReverseProxyConfig{Target: target}))
|
|
|
|
rr := PerformRequest(engine, http.MethodGet, "/trailers", nil, nil)
|
|
resp := rr.Result()
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Fatalf("read body: %v", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Fatalf("unexpected status: %d", resp.StatusCode)
|
|
}
|
|
if string(body) != "streamed" {
|
|
t.Fatalf("unexpected body: %q", string(body))
|
|
}
|
|
if got := resp.Trailer.Get("X-Unannounced-Trailer"); got != "later" {
|
|
t.Fatalf("unexpected unannounced trailer: %q", got)
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyProtocolUpgrade(t *testing.T) {
|
|
t.Helper()
|
|
|
|
errCh := make(chan error, 8)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if !headerValuesContainToken(r.Header["Connection"], "Upgrade") {
|
|
errCh <- fmt.Errorf("missing upgrade connection header: %#v", r.Header.Values("Connection"))
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
if !strings.EqualFold(r.Header.Get("Upgrade"), "websocket") {
|
|
errCh <- fmt.Errorf("unexpected upgrade header: %q", r.Header.Get("Upgrade"))
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
hj, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
errCh <- errors.New("backend response writer does not support hijack")
|
|
return
|
|
}
|
|
conn, brw, err := hj.Hijack()
|
|
if err != nil {
|
|
errCh <- fmt.Errorf("backend hijack failed: %w", err)
|
|
return
|
|
}
|
|
defer conn.Close()
|
|
|
|
_, _ = io.WriteString(brw, "HTTP/1.1 101 Switching Protocols\r\nUpgrade: websocket\r\nConnection: Upgrade\r\n\r\n")
|
|
if err := brw.Flush(); err != nil {
|
|
errCh <- fmt.Errorf("backend flush failed: %w", err)
|
|
return
|
|
}
|
|
|
|
line, err := brw.ReadString('\n')
|
|
if err != nil {
|
|
errCh <- fmt.Errorf("backend read failed: %w", err)
|
|
return
|
|
}
|
|
_, _ = io.WriteString(brw, "echo:"+line)
|
|
if err := brw.Flush(); err != nil {
|
|
errCh <- fmt.Errorf("backend echo flush failed: %w", err)
|
|
return
|
|
}
|
|
}))
|
|
defer backend.Close()
|
|
|
|
target, err := url.Parse(backend.URL)
|
|
if err != nil {
|
|
t.Fatalf("parse target: %v", err)
|
|
}
|
|
|
|
engine := New()
|
|
engine.GET("/ws", ReverseProxy(ReverseProxyConfig{
|
|
Target: target,
|
|
Via: "proxy.test",
|
|
}))
|
|
|
|
proxy := httptest.NewServer(engine)
|
|
defer proxy.Close()
|
|
|
|
conn, err := net.DialTimeout("tcp", proxy.Listener.Addr().String(), 5*time.Second)
|
|
if err != nil {
|
|
t.Fatalf("dial proxy: %v", err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
|
|
t.Fatalf("set deadline: %v", err)
|
|
}
|
|
|
|
_, err = fmt.Fprintf(conn, "GET /ws HTTP/1.1\r\nHost: client.example\r\nConnection: Upgrade\r\nUpgrade: websocket\r\n\r\n")
|
|
if err != nil {
|
|
t.Fatalf("write upgrade request: %v", err)
|
|
}
|
|
|
|
reader := bufio.NewReader(conn)
|
|
statusLine, err := reader.ReadString('\n')
|
|
if err != nil {
|
|
t.Fatalf("read status line: %v", err)
|
|
}
|
|
if !strings.Contains(statusLine, "101") {
|
|
t.Fatalf("unexpected status line: %q", statusLine)
|
|
}
|
|
|
|
headers, err := textproto.NewReader(reader).ReadMIMEHeader()
|
|
if err != nil {
|
|
t.Fatalf("read headers: %v", err)
|
|
}
|
|
respHeader := http.Header(headers)
|
|
if !strings.EqualFold(respHeader.Get("Upgrade"), "websocket") {
|
|
t.Fatalf("unexpected upgrade response header: %q", respHeader.Get("Upgrade"))
|
|
}
|
|
if !headerValuesContainToken(respHeader.Values("Connection"), "Upgrade") {
|
|
t.Fatalf("unexpected connection response header: %#v", respHeader.Values("Connection"))
|
|
}
|
|
if gotVia := respHeader.Values("Via"); len(gotVia) != 1 || gotVia[0] != "1.1 proxy.test" {
|
|
t.Fatalf("unexpected Via response header: %#v", gotVia)
|
|
}
|
|
|
|
if _, err := io.WriteString(conn, "ping\n"); err != nil {
|
|
t.Fatalf("write tunneled payload: %v", err)
|
|
}
|
|
message, err := reader.ReadString('\n')
|
|
if err != nil {
|
|
t.Fatalf("read tunneled payload: %v", err)
|
|
}
|
|
if message != "echo:ping\n" {
|
|
t.Fatalf("unexpected tunneled payload: %q", message)
|
|
}
|
|
|
|
select {
|
|
case err := <-errCh:
|
|
t.Fatal(err)
|
|
default:
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyRejectsEmptyUpgradeProtocol(t *testing.T) {
|
|
t.Helper()
|
|
|
|
errCh := make(chan error, 4)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
hj, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
errCh <- errors.New("backend response writer does not support hijack")
|
|
return
|
|
}
|
|
conn, brw, err := hj.Hijack()
|
|
if err != nil {
|
|
errCh <- fmt.Errorf("backend hijack failed: %w", err)
|
|
return
|
|
}
|
|
defer conn.Close()
|
|
|
|
_, _ = io.WriteString(brw, "HTTP/1.1 101 Switching Protocols\r\n\r\n")
|
|
if err := brw.Flush(); err != nil {
|
|
errCh <- fmt.Errorf("backend flush failed: %w", err)
|
|
return
|
|
}
|
|
}))
|
|
defer backend.Close()
|
|
|
|
target, err := url.Parse(backend.URL)
|
|
if err != nil {
|
|
t.Fatalf("parse target: %v", err)
|
|
}
|
|
|
|
engine := New()
|
|
engine.GET("/ws", ReverseProxy(ReverseProxyConfig{Target: target}))
|
|
|
|
proxy := httptest.NewServer(engine)
|
|
defer proxy.Close()
|
|
|
|
conn, err := net.DialTimeout("tcp", proxy.Listener.Addr().String(), 5*time.Second)
|
|
if err != nil {
|
|
t.Fatalf("dial proxy: %v", err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
|
|
t.Fatalf("set deadline: %v", err)
|
|
}
|
|
|
|
_, err = fmt.Fprintf(conn, "GET /ws HTTP/1.1\r\nHost: client.example\r\nConnection: Upgrade\r\nUpgrade: websocket\r\n\r\n")
|
|
if err != nil {
|
|
t.Fatalf("write upgrade request: %v", err)
|
|
}
|
|
|
|
resp, err := http.ReadResponse(bufio.NewReader(conn), nil)
|
|
if err != nil {
|
|
t.Fatalf("read response: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusBadGateway {
|
|
t.Fatalf("unexpected status: %d", resp.StatusCode)
|
|
}
|
|
|
|
select {
|
|
case err := <-errCh:
|
|
t.Fatal(err)
|
|
default:
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyUpgradeNeedsHijacker(t *testing.T) {
|
|
t.Helper()
|
|
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
hj, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
t.Fatal("backend response writer does not support hijack")
|
|
}
|
|
conn, brw, err := hj.Hijack()
|
|
if err != nil {
|
|
t.Fatalf("backend hijack failed: %v", err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
_, _ = io.WriteString(brw, "HTTP/1.1 101 Switching Protocols\r\nUpgrade: websocket\r\nConnection: Upgrade\r\n\r\n")
|
|
_ = brw.Flush()
|
|
}))
|
|
defer backend.Close()
|
|
|
|
engine := New()
|
|
engine.GET("/ws", ReverseProxy(ReverseProxyConfig{Target: mustParseURL(t, backend.URL)}))
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "http://client.example/ws", nil)
|
|
req.Header.Set("Connection", "Upgrade")
|
|
req.Header.Set("Upgrade", "websocket")
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusNotImplemented {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyMaxForwardsTraceHandledLocally(t *testing.T) {
|
|
t.Helper()
|
|
|
|
called := make(chan struct{}, 1)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
called <- struct{}{}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}))
|
|
defer backend.Close()
|
|
|
|
engine := New()
|
|
engine.Handle(http.MethodTrace, "/trace", ReverseProxy(ReverseProxyConfig{Target: mustParseURL(t, backend.URL)}))
|
|
|
|
req := httptest.NewRequest(http.MethodTrace, "http://client.example/trace", nil)
|
|
req.RequestURI = "/trace"
|
|
req.Header.Set("Max-Forwards", "0")
|
|
req.Header.Set("Authorization", "secret")
|
|
req.Header.Set("Cookie", "a=b")
|
|
req.Header.Set("Forwarded", "for=192.0.2.1")
|
|
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
resp := rr.Result()
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Fatalf("read body: %v", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Fatalf("unexpected status: %d", resp.StatusCode)
|
|
}
|
|
if got := resp.Header.Get("Content-Type"); got != "message/http" {
|
|
t.Fatalf("unexpected content type: %q", got)
|
|
}
|
|
if !strings.Contains(string(body), "TRACE /trace HTTP/1.1") {
|
|
t.Fatalf("trace body missing request line: %q", string(body))
|
|
}
|
|
if strings.Contains(string(body), "Authorization:") {
|
|
t.Fatalf("trace body leaked authorization header: %q", string(body))
|
|
}
|
|
if strings.Contains(string(body), "Cookie:") {
|
|
t.Fatalf("trace body leaked cookie header: %q", string(body))
|
|
}
|
|
if strings.Contains(string(body), "Forwarded:") {
|
|
t.Fatalf("trace body leaked forwarded header: %q", string(body))
|
|
}
|
|
|
|
select {
|
|
case <-called:
|
|
t.Fatal("backend should not be called when Max-Forwards is zero")
|
|
default:
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyMaxForwardsTraceDecrementsBeforeForwarding(t *testing.T) {
|
|
t.Helper()
|
|
|
|
maxForwardsCh := make(chan string, 1)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
maxForwardsCh <- r.Header.Get("Max-Forwards")
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}))
|
|
defer backend.Close()
|
|
|
|
engine := New()
|
|
engine.Handle(http.MethodTrace, "/trace", ReverseProxy(ReverseProxyConfig{Target: mustParseURL(t, backend.URL)}))
|
|
|
|
req := httptest.NewRequest(http.MethodTrace, "http://client.example/trace", nil)
|
|
req.Header.Set("Max-Forwards", "2")
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusNoContent {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
|
|
select {
|
|
case got := <-maxForwardsCh:
|
|
if got != "1" {
|
|
t.Fatalf("unexpected Max-Forwards header: %q", got)
|
|
}
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("timed out waiting for backend Max-Forwards")
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyMaxForwardsOptionsHandledLocally(t *testing.T) {
|
|
t.Helper()
|
|
|
|
called := make(chan struct{}, 1)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
called <- struct{}{}
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}))
|
|
defer backend.Close()
|
|
|
|
engine := New()
|
|
engine.GET("/proxy", func(c *Context) { c.Status(http.StatusNoContent) })
|
|
engine.OPTIONS("/proxy", ReverseProxy(ReverseProxyConfig{Target: mustParseURL(t, backend.URL)}))
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "http://client.example/proxy", nil)
|
|
req.Header.Set("Max-Forwards", "0")
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusOK {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
allow := rr.Header().Get("Allow")
|
|
if !strings.Contains(allow, http.MethodGet) || !strings.Contains(allow, http.MethodOptions) {
|
|
t.Fatalf("unexpected Allow header: %q", allow)
|
|
}
|
|
|
|
select {
|
|
case <-called:
|
|
t.Fatal("backend should not be called when Max-Forwards is zero")
|
|
default:
|
|
}
|
|
}
|
|
|
|
func TestEngineDoesNotTreatOptionsAsteriskAsSlashRoute(t *testing.T) {
|
|
t.Helper()
|
|
|
|
engine := New()
|
|
engine.OPTIONS("/", func(c *Context) {
|
|
c.Status(http.StatusNoContent)
|
|
})
|
|
|
|
req := httptest.NewRequest(http.MethodOptions, "http://client.example/", nil)
|
|
req.RequestURI = "*"
|
|
req.URL.Path = ""
|
|
req.URL.RawPath = ""
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusNotFound {
|
|
t.Fatalf("unexpected status for OPTIONS *: %d", rr.Code)
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyConnectTunnel(t *testing.T) {
|
|
t.Helper()
|
|
|
|
backendAddr := ""
|
|
errCh := make(chan error, 4)
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodConnect {
|
|
errCh <- fmt.Errorf("unexpected method: %s", r.Method)
|
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
if got, want := r.RequestURI, backendAddr; got != want {
|
|
errCh <- fmt.Errorf("unexpected CONNECT target %q, want %q", got, want)
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
hj, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
errCh <- errors.New("backend response writer does not support hijack")
|
|
return
|
|
}
|
|
conn, brw, err := hj.Hijack()
|
|
if err != nil {
|
|
errCh <- fmt.Errorf("backend hijack failed: %w", err)
|
|
return
|
|
}
|
|
defer conn.Close()
|
|
|
|
_, _ = io.WriteString(brw, "HTTP/1.1 200 Connection Established\r\nVia: 1.1 upstream\r\n\r\n")
|
|
if err := brw.Flush(); err != nil {
|
|
errCh <- fmt.Errorf("backend flush failed: %w", err)
|
|
return
|
|
}
|
|
|
|
line, err := brw.ReadString('\n')
|
|
if err != nil {
|
|
errCh <- fmt.Errorf("backend read failed: %w", err)
|
|
return
|
|
}
|
|
_, _ = io.WriteString(brw, strings.ToUpper(line))
|
|
if err := brw.Flush(); err != nil {
|
|
errCh <- fmt.Errorf("backend write failed: %w", err)
|
|
return
|
|
}
|
|
}))
|
|
defer backend.Close()
|
|
backendAddr = strings.TrimPrefix(backend.URL, "http://")
|
|
|
|
engine := New()
|
|
engine.Handle(http.MethodConnect, "/:authority", ReverseProxy(ReverseProxyConfig{
|
|
Target: mustParseURL(t, backend.URL),
|
|
Via: "proxy.test",
|
|
}))
|
|
|
|
proxy := httptest.NewServer(engine)
|
|
defer proxy.Close()
|
|
|
|
conn, err := net.DialTimeout("tcp", proxy.Listener.Addr().String(), 5*time.Second)
|
|
if err != nil {
|
|
t.Fatalf("dial proxy: %v", err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
if err := conn.SetDeadline(time.Now().Add(5 * time.Second)); err != nil {
|
|
t.Fatalf("set deadline: %v", err)
|
|
}
|
|
|
|
_, err = fmt.Fprintf(conn, "CONNECT origin.example:443 HTTP/1.1\r\nHost: origin.example:443\r\n\r\n")
|
|
if err != nil {
|
|
t.Fatalf("write connect request: %v", err)
|
|
}
|
|
|
|
reader := bufio.NewReader(conn)
|
|
statusLine, err := reader.ReadString('\n')
|
|
if err != nil {
|
|
t.Fatalf("read status line: %v", err)
|
|
}
|
|
if !strings.Contains(statusLine, "200") {
|
|
t.Fatalf("unexpected status line: %q", statusLine)
|
|
}
|
|
|
|
headers, err := textproto.NewReader(reader).ReadMIMEHeader()
|
|
if err != nil {
|
|
t.Fatalf("read headers: %v", err)
|
|
}
|
|
respHeader := http.Header(headers)
|
|
if got := respHeader.Get("Content-Length"); got != "" {
|
|
t.Fatalf("CONNECT response should not include Content-Length, got %q", got)
|
|
}
|
|
if got := respHeader.Get("Transfer-Encoding"); got != "" {
|
|
t.Fatalf("CONNECT response should not include Transfer-Encoding, got %q", got)
|
|
}
|
|
if gotVia := respHeader.Values("Via"); len(gotVia) != 2 || gotVia[0] != "1.1 upstream" || gotVia[1] != "1.1 proxy.test" {
|
|
t.Fatalf("unexpected Via response header: %#v", gotVia)
|
|
}
|
|
|
|
if _, err := io.WriteString(conn, "ping\n"); err != nil {
|
|
t.Fatalf("write tunneled payload: %v", err)
|
|
}
|
|
message, err := reader.ReadString('\n')
|
|
if err != nil {
|
|
t.Fatalf("read tunneled payload: %v", err)
|
|
}
|
|
if message != "PING\n" {
|
|
t.Fatalf("unexpected tunneled payload: %q", message)
|
|
}
|
|
|
|
select {
|
|
case err := <-errCh:
|
|
t.Fatal(err)
|
|
default:
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyConnectNeedsHijacker(t *testing.T) {
|
|
t.Helper()
|
|
|
|
backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
hj, ok := w.(http.Hijacker)
|
|
if !ok {
|
|
t.Fatal("backend response writer does not support hijack")
|
|
}
|
|
conn, brw, err := hj.Hijack()
|
|
if err != nil {
|
|
t.Fatalf("backend hijack failed: %v", err)
|
|
}
|
|
defer conn.Close()
|
|
|
|
_, _ = io.WriteString(brw, "HTTP/1.1 200 Connection Established\r\n\r\n")
|
|
_ = brw.Flush()
|
|
}))
|
|
defer backend.Close()
|
|
|
|
engine := New()
|
|
engine.Handle(http.MethodConnect, "/tunnel", ReverseProxy(ReverseProxyConfig{Target: mustParseURL(t, backend.URL)}))
|
|
|
|
req := httptest.NewRequest(http.MethodConnect, "http://client.example/tunnel", nil)
|
|
req.URL.Path = "/tunnel"
|
|
req.RequestURI = "/tunnel"
|
|
rr := httptest.NewRecorder()
|
|
engine.ServeHTTP(rr, req)
|
|
|
|
if rr.Code != http.StatusNotImplemented {
|
|
t.Fatalf("unexpected status: %d", rr.Code)
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyAbortsStreamingCopyFailure(t *testing.T) {
|
|
t.Helper()
|
|
|
|
engine := New()
|
|
engine.GET("/proxy", ReverseProxy(ReverseProxyConfig{
|
|
Target: mustParseURL(t, "http://example.com"),
|
|
Transport: roundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
|
return &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Header: http.Header{
|
|
"Content-Type": []string{"text/plain"},
|
|
},
|
|
Body: &failingReadCloser{chunks: []string{"ok"}, err: errors.New("boom")},
|
|
ContentLength: -1,
|
|
Request: req,
|
|
}, nil
|
|
}),
|
|
}))
|
|
|
|
proxy := httptest.NewServer(engine)
|
|
defer proxy.Close()
|
|
|
|
resp, err := proxy.Client().Get(proxy.URL + "/proxy")
|
|
if err != nil {
|
|
t.Fatalf("perform request: %v", err)
|
|
}
|
|
_, err = io.ReadAll(resp.Body)
|
|
_ = resp.Body.Close()
|
|
if err == nil {
|
|
t.Fatal("expected body read to fail after upstream copy error")
|
|
}
|
|
}
|
|
|
|
func TestReverseProxyRestoresHeadersAfter1xx(t *testing.T) {
|
|
t.Helper()
|
|
|
|
type oneXXInfo struct {
|
|
code int
|
|
header http.Header
|
|
}
|
|
|
|
backendTraceCh := make(chan struct{}, 1)
|
|
oneXXCh := make(chan oneXXInfo, 1)
|
|
|
|
transport := roundTripperFunc(func(req *http.Request) (*http.Response, error) {
|
|
trace := httptrace.ContextClientTrace(req.Context())
|
|
if trace == nil || trace.Got1xxResponse == nil {
|
|
return nil, errors.New("missing Got1xxResponse trace")
|
|
}
|
|
backendTraceCh <- struct{}{}
|
|
if err := trace.Got1xxResponse(http.StatusEarlyHints, textproto.MIMEHeader{"Link": {"</style.css>; rel=preload; as=style"}}); err != nil {
|
|
return nil, err
|
|
}
|
|
return &http.Response{
|
|
StatusCode: http.StatusOK,
|
|
Header: http.Header{
|
|
"Content-Type": []string{"text/plain"},
|
|
},
|
|
Body: io.NopCloser(strings.NewReader("ok")),
|
|
ContentLength: 2,
|
|
Request: req,
|
|
}, nil
|
|
})
|
|
|
|
engine := New()
|
|
engine.Use(func(c *Context) {
|
|
c.Writer.Header().Set("X-Request-Id", "req-123")
|
|
c.Next()
|
|
})
|
|
engine.GET("/proxy", ReverseProxy(ReverseProxyConfig{
|
|
Target: mustParseURL(t, "http://example.com"),
|
|
Transport: transport,
|
|
}))
|
|
|
|
proxy := httptest.NewServer(engine)
|
|
defer proxy.Close()
|
|
|
|
client := proxy.Client()
|
|
req, err := http.NewRequest(http.MethodGet, proxy.URL+"/proxy", nil)
|
|
if err != nil {
|
|
t.Fatalf("new request: %v", err)
|
|
}
|
|
req = req.WithContext(httptrace.WithClientTrace(req.Context(), &httptrace.ClientTrace{
|
|
Got1xxResponse: func(code int, header textproto.MIMEHeader) error {
|
|
oneXXCh <- oneXXInfo{code: code, header: http.Header(header).Clone()}
|
|
return nil
|
|
},
|
|
}))
|
|
|
|
resp, err := client.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("perform request: %v", err)
|
|
}
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Fatalf("read body: %v", err)
|
|
}
|
|
_ = resp.Body.Close()
|
|
|
|
select {
|
|
case <-backendTraceCh:
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("expected proxy transport 1xx trace to be invoked")
|
|
}
|
|
|
|
var oneXX oneXXInfo
|
|
select {
|
|
case oneXX = <-oneXXCh:
|
|
case <-time.After(2 * time.Second):
|
|
t.Fatal("expected client to receive 1xx response")
|
|
}
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
t.Fatalf("unexpected status: %d", resp.StatusCode)
|
|
}
|
|
if string(body) != "ok" {
|
|
t.Fatalf("unexpected body: %q", string(body))
|
|
}
|
|
if got := resp.Header.Get("X-Request-Id"); got != "req-123" {
|
|
t.Fatalf("final response lost preserved header: %q", got)
|
|
}
|
|
if got := resp.Header.Get("Link"); got != "" {
|
|
t.Fatalf("interim 1xx header leaked into final response: %q", got)
|
|
}
|
|
if oneXX.code != http.StatusEarlyHints {
|
|
t.Fatalf("unexpected interim status: %d", oneXX.code)
|
|
}
|
|
if got := oneXX.header.Get("Link"); got != "</style.css>; rel=preload; as=style" {
|
|
t.Fatalf("unexpected interim Link header: %q", got)
|
|
}
|
|
if got := oneXX.header.Get("X-Request-Id"); got != "" {
|
|
t.Fatalf("final-only header leaked into interim response: %q", got)
|
|
}
|
|
}
|
|
|
|
type roundTripperFunc func(*http.Request) (*http.Response, error)
|
|
|
|
func (fn roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
|
|
return fn(req)
|
|
}
|
|
|
|
func mustParseURL(t *testing.T, raw string) *url.URL {
|
|
t.Helper()
|
|
u, err := url.Parse(raw)
|
|
if err != nil {
|
|
t.Fatalf("parse url %q: %v", raw, err)
|
|
}
|
|
return u
|
|
}
|
|
|
|
type failingReadCloser struct {
|
|
chunks []string
|
|
err error
|
|
}
|
|
|
|
func (r *failingReadCloser) Read(p []byte) (int, error) {
|
|
if len(r.chunks) == 0 {
|
|
return 0, r.err
|
|
}
|
|
n := copy(p, r.chunks[0])
|
|
r.chunks = r.chunks[1:]
|
|
return n, nil
|
|
}
|
|
|
|
func (r *failingReadCloser) Close() error {
|
|
return nil
|
|
}
|