parseCaddyfile parses the forward_auth directive, which has the same syntax as the reverse_proxy directive (in fact, the reverse_proxy's directive Unmarshaler is invoked by this function) but the resulting proxy is specially configured for most™️ auth gateways that support forward auth. The typical
(h httpcaddyfile.Helper)
| 62 | // } |
| 63 | // } |
| 64 | func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) { |
| 65 | if !h.Next() { |
| 66 | return nil, h.ArgErr() |
| 67 | } |
| 68 | |
| 69 | // if the user specified a matcher token, use that |
| 70 | // matcher in a route that wraps both of our routes; |
| 71 | // either way, strip the matcher token and pass |
| 72 | // the remaining tokens to the unmarshaler so that |
| 73 | // we can gain the rest of the reverse_proxy syntax |
| 74 | userMatcherSet, err := h.ExtractMatcherSet() |
| 75 | if err != nil { |
| 76 | return nil, err |
| 77 | } |
| 78 | |
| 79 | // make a new dispenser from the remaining tokens so that we |
| 80 | // can reset the dispenser back to this point for the |
| 81 | // reverse_proxy unmarshaler to read from it as well |
| 82 | dispenser := h.NewFromNextSegment() |
| 83 | |
| 84 | // create the reverse proxy handler |
| 85 | rpHandler := &reverseproxy.Handler{ |
| 86 | // set up defaults for header_up; reverse_proxy already deals with |
| 87 | // adding the other three X-Forwarded-* headers, but for this flow, |
| 88 | // we want to also send along the incoming method and URI since this |
| 89 | // request will have a rewritten URI and method. |
| 90 | Headers: &headers.Handler{ |
| 91 | Request: &headers.HeaderOps{ |
| 92 | Set: http.Header{ |
| 93 | "X-Forwarded-Method": []string{"{http.request.method}"}, |
| 94 | "X-Forwarded-Uri": []string{"{http.request.uri}"}, |
| 95 | }, |
| 96 | }, |
| 97 | }, |
| 98 | |
| 99 | // we always rewrite the method to GET, which implicitly |
| 100 | // turns off sending the incoming request's body, which |
| 101 | // allows later middleware handlers to consume it |
| 102 | Rewrite: &rewrite.Rewrite{ |
| 103 | Method: "GET", |
| 104 | }, |
| 105 | |
| 106 | HandleResponse: []caddyhttp.ResponseHandler{}, |
| 107 | } |
| 108 | |
| 109 | // collect the headers to copy from the auth response |
| 110 | // onto the original request, so they can get passed |
| 111 | // through to a backend app |
| 112 | headersToCopy := make(map[string]string) |
| 113 | |
| 114 | // read the subdirectives for configuring the forward_auth shortcut |
| 115 | // NOTE: we delete the tokens as we go so that the reverse_proxy |
| 116 | // unmarshal doesn't see these subdirectives which it cannot handle |
| 117 | for dispenser.Next() { |
| 118 | for dispenser.NextBlock(0) { |
| 119 | // ignore any sub-subdirectives that might |
| 120 | // have the same name somewhere within |
| 121 | // the reverse_proxy passthrough tokens |
nothing calls this directly
no test coverage detected