TUN-3889: Move host header override logic to httpService

chungthuang · nmldiegues · commit 594380874669 · 2021-02-23T14:19:47.000Z
diff --git a/ingress/origin_proxy.go b/ingress/origin_proxy.go
@@ -37,12 +37,20 @@ func (o *httpService) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Rewrite the request URL so that it goes to the origin service.
 	req.URL.Host = o.url.Host
 	req.URL.Scheme = o.url.Scheme
+	if o.hostHeader != "" {
+		// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.
+		req.Host = o.hostHeader
+	}
 	return o.transport.RoundTrip(req)
 }
 
 func (o *httpService) EstablishConnection(req *http.Request) (OriginConnection, *http.Response, error) {
 	req.URL.Host = o.url.Host
 	req.URL.Scheme = websocket.ChangeRequestScheme(o.url)
+	if o.hostHeader != "" {
+		// For incoming requests, the Host header is promoted to the Request.Host field and removed from the Header map.
+		req.Host = o.hostHeader
+	}
 	return newWSConnection(o.transport, req)
 }
 
diff --git a/ingress/origin_proxy_test.go b/ingress/origin_proxy_test.go
@@ -1,11 +1,18 @@
 package ingress
 
 import (
+	"context"
 	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"sync"
 	"testing"
 
 	"github.com/cloudflare/cloudflared/h2mux"
+	"github.com/cloudflare/cloudflared/websocket"
+	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestBridgeServiceDestination(t *testing.T) {
@@ -105,3 +112,47 @@ func TestBridgeServiceDestination(t *testing.T) {
 		}
 	}
 }
+
+func TestHTTPServiceHostHeaderOverride(t *testing.T) {
+	cfg := OriginRequestConfig{
+		HTTPHostHeader: t.Name(),
+	}
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, r.Host, t.Name())
+		if websocket.IsWebSocketUpgrade(r) {
+			respHeaders := websocket.NewResponseHeader(r)
+			for k, v := range respHeaders {
+				w.Header().Set(k, v[0])
+			}
+			w.WriteHeader(http.StatusSwitchingProtocols)
+			return
+		}
+		w.Write([]byte("ok"))
+	}
+	origin := httptest.NewServer(http.HandlerFunc(handler))
+	defer origin.Close()
+
+	originURL, err := url.Parse(origin.URL)
+	require.NoError(t, err)
+
+	httpService := &httpService{
+		url: originURL,
+	}
+	var wg sync.WaitGroup
+	log := zerolog.Nop()
+	shutdownC := make(chan struct{})
+	errC := make(chan error)
+	require.NoError(t, httpService.start(&wg, &log, shutdownC, errC, cfg))
+
+	req, err := http.NewRequest(http.MethodGet, originURL.String(), nil)
+	require.NoError(t, err)
+
+	resp, err := httpService.RoundTrip(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	req = req.Clone(context.Background())
+	_, resp, err = httpService.EstablishConnection(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusSwitchingProtocols, resp.StatusCode)
+}
diff --git a/ingress/origin_service.go b/ingress/origin_service.go
@@ -59,15 +59,17 @@ func (o *unixSocketPath) Dial(reqURL *url.URL, headers http.Header) (*gws.Conn,
 }
 
 type httpService struct {
-	url       *url.URL
-	transport *http.Transport
+	url        *url.URL
+	hostHeader string
+	transport  *http.Transport
 }
 
 func (o *httpService) start(wg *sync.WaitGroup, log *zerolog.Logger, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {
 	transport, err := newHTTPTransport(o, cfg, log)
 	if err != nil {
 		return err
 	}
+	o.hostHeader = cfg.HTTPHostHeader
 	o.transport = transport
 	return nil
 }
diff --git a/origin/proxy.go b/origin/proxy.go
@@ -86,11 +86,6 @@ func (p *proxy) Proxy(w connection.ResponseWriter, req *http.Request, sourceConn
 		return nil
 	}
 
-	if hostHeader := rule.Config.HTTPHostHeader; hostHeader != "" {
-		req.Header.Set("Host", hostHeader)
-		req.Host = hostHeader
-	}
-
 	connectionProxy, ok := rule.Service.(ingress.StreamBasedOriginProxy)
 	if !ok {
 		p.log.Error().Msgf("%s is not a connection-oriented service", rule.Service)
@@ -125,11 +120,6 @@ func (p *proxy) proxyHTTP(w connection.ResponseWriter, req *http.Request, rule *
 	// Request origin to keep connection alive to improve performance
 	req.Header.Set("Connection", "keep-alive")
 
-	if hostHeader := rule.Config.HTTPHostHeader; hostHeader != "" {
-		req.Header.Set("Host", hostHeader)
-		req.Host = hostHeader
-	}
-
 	httpService, ok := rule.Service.(ingress.HTTPOriginProxy)
 	if !ok {
 		p.log.Error().Msgf("%s is not a http service", rule.Service)

Original file line number	Diff line number	Diff line change
`@@ -59,15 +59,17 @@ func (o unixSocketPath) Dial(reqURL url.URL, headers http.Header) (*gws.Conn,`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`type httpService struct {`
`62`		`- url *url.URL`
`63`		`- transport *http.Transport`
	`62`	`+ url *url.URL`
	`63`	`+ hostHeader string`
	`64`	`+ transport *http.Transport`
`64`	`65`	`}`
`65`	`66`
`66`	`67`	`func (o httpService) start(wg sync.WaitGroup, log *zerolog.Logger, shutdownC <-chan struct{}, errC chan error, cfg OriginRequestConfig) error {`
`67`	`68`	`transport, err := newHTTPTransport(o, cfg, log)`
`68`	`69`	`if err != nil {`
`69`	`70`	`return err`
`70`	`71`	`}`
	`72`	`+ o.hostHeader = cfg.HTTPHostHeader`
`71`	`73`	`o.transport = transport`
`72`	`74`	`return nil`
`73`	`75`	`}`