Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Properly handle proxified requests in backend services delegating to Spring-boot ForwardedHeaderFilter #119

Merged
merged 1 commit into from
Dec 5, 2021
Merged

Properly handle proxified requests in backend services delegating to Spring-boot ForwardedHeaderFilter #119

merged 1 commit into from
Dec 5, 2021

Conversation

groldan
Copy link
Member

@groldan groldan commented Dec 5, 2021
edited
Loading

Properly handle proxified requests in backend services delegating to Spring-boot ForwardedHeaderFilter

GeoServer uses a URLMangler extension point to make changes to exposed
URL's.

To deal with proxyfied requests, it relies in a ProxifyingUrlMangler
implementation, which can look at X-Forwarded-* HTTP request headers
and adapt URL's accordingly.

GeoServer-cloud had its own CloudProxifyingURLMangler extension point
implementation which relied on the same X-Forwarded-* request headers.

Problem is, one of the headers Geoserver relies on is X-Forwarded-Path,
which is an unofficial header, instead of the official X-Forwarded-Prefix.

By setting the config property server.forward-headers-strategy: framework
in all services bootstrap.yml files, we now let spring-boot's
ForwardedHeaderFilter take care of reflecting the client-originated
protocol and address in the HttpServletRequest, and hence don't need
the URLMangler to perform proxy-related adaptations anymore.

Also works when the gateway is behind another proxy, as long as it sends the Forwarded
(and X-Forwarded-Prefix if needed) headers.

For example, a direct request to the gateway would return:

curl -s  "http://localhost:9090/wfs?request=getcapabilities&version=1.1.0" | xmllint --format -|grep http|head -n 5
<wfs:WFS_Capabilities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wfs" xmlns:wfs="http://www.opengis.net/wfs" xmlns:ows="http://www.opengis.net/ows" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:osm="http://geoserver.org/osm" xmlns:test="http://test2.com" version="1.1.0" xsi:schemaLocation="http://www.opengis.net/wfs http://localhost:9090/schemas/wfs/1.1.0/wfs.xsd" updateSequence="343">
          <ows:Get xlink:href="http://localhost:9090/wfs"/>
          <ows:Post xlink:href="http://localhost:9090/wfs"/>
          <ows:Get xlink:href="http://localhost:9090/wfs"/>
          <ows:Post xlink:href="http://localhost:9090/wfs"/>

While a proxied request would result in:

curl -s \
 -H "Forwarded: proto=https;host=edge.test.com:1111;for=10.0.0.1:8080" \
 -H "X-Forwarded-Prefix: /geoserver/cloud" \
 "http://localhost:9090/wfs?request=getcapabilities&version=1.1.0" | xmllint --format -|grep http|head -n 5

<wfs:WFS_Capabilities xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wfs" xmlns:wfs="http://www.opengis.net/wfs" xmlns:ows="http://www.opengis.net/ows" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:osm="http://geoserver.org/osm" xmlns:test="http://test2.com" version="1.1.0" xsi:schemaLocation="http://www.opengis.net/wfs https://edge.test.com:1111/geoserver/cloud/schemas/wfs/1.1.0/wfs.xsd" updateSequence="343">
          <ows:Get xlink:href="https://edge.test.com:1111/geoserver/cloud/wfs"/>
          <ows:Post xlink:href="https://edge.test.com:1111/geoserver/cloud/wfs"/>
          <ows:Get xlink:href="https://edge.test.com:1111/geoserver/cloud/wfs"/>
          <ows:Post xlink:href="https://edge.test.com:1111/geoserver/cloud/wfs"/>

@groldan
Properly handle proxified requests in backend services delegating to …
778d094 
…Spring-boot ForwardedHeaderFilter

GeoServer uses a `URLMangler` extension point to make changes to exposed
URL's.

To deal with proxyfied requests, it relies in a `ProxifyingUrlMangler`
implementation, which can look at `X-Forwarded-*` HTTP request headers
and adapt URL's accordingly.

GeoServer-cloud had its own `CloudProxifyingURLMangler` extension point
implementation which relied on the same `X-Forwarded-*` request headers.

Problem is, one of the headers Geoserver relies on is `X-Forwarded-Path`,
which is an unofficial header, instead of the official `X-Forwarded-Prefix`.

By setting the config property `server.forward-headers-strategy: framework`
in all services `bootstrap.yml` files, we now let spring-boot's
`ForwardedHeaderFilter` take care of reflecting the client-originated
protocol and address in the `HttpServletRequest`, and hence don't need
the `URLMangler` to perform proxy-related adaptations anymore.
@groldan groldan added the bug Something isn't working label Dec 5, 2021
@groldan groldan merged commit 3477eac into geoserver:main Dec 5, 2021
@groldan groldan deleted the gateway_context_path branch December 5, 2021 03:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@groldan