Added --preserve-host option to retain host header in upstream request.

ca5e1aa9 · James Groffen · d6af5224 · ca5e1aa9 · ca5e1aa9 · ca5e1aa9
Commit ca5e1aa9 authored Mar 8, 2018 by James Groffen
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ FEATURES:
 * Added the X-Auth-Audience to the upstream headers [#PR319](https://github.com/gambol99/keycloak-proxy/pull/319)
 * Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration [#PR315](https://github.com/gambol99/keycloak-proxy/pull/315)
 * Added a `enable-logout-redirect` which redirects the /oauth/logout to the provider [#PR327](https://github.com/gambol99/keycloak-proxy/pull/327)
+* Added a --preserve-host option to preserve the host header of the proxied request in the upstream request [#PR328](https://github.com/gambol99/keycloak-proxy/pull/328)
 * Adding additional metrics covering provider request latency, token breakdown [#PR324](https://github.com/gambol99/keycloak-proxy/pull/324)
 * Added environment variables alternatives for the forwarding username and password [#PR329]https://github.com/gambol99/keycloak-proxy/pull/329)
 * Changed the upstream-keepalive to default to true [#PR321](https://github.com/gambol99/keycloak-proxy/pull/321)

--- a/README.md
+++ b/README.md
@@ -59,6 +59,7 @@ GLOBAL OPTIONS:
   --upstream-ca value                       the path to a file container a CA certificate to validate the upstream tls endpoint
   --resources value                         list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'
   --headers value                           custom headers to the upstream request, key=value
+   --preserve-host                           preserve the host header of the proxied request in the upstream request (default: false)
   --enable-default-deny                     enables a default denial on all requests, you have to explicitly say what is permitted (recommended) (default: false)
   --enable-encrypted-token                  enable encryption for the access tokens (default: false)
   --enable-logging                          enable http logging of the requests (default: false)

--- a/config.go
+++ b/config.go
@@ -37,6 +37,7 @@ func newDefaultConfig() *Config {
 		LetsEncryptCacheDir:         "./cache/",
 		MatchClaims:                 make(map[string]string),
 		OpenIDProviderTimeout:       30 * time.Second,
+		PreserveHost:                false,
 		SecureCookie:                true,
 		ServerIdleTimeout:           120 * time.Second,
 		ServerReadTimeout:           5 * time.Second,

--- a/doc.go
+++ b/doc.go
@@ -175,6 +175,8 @@ type Config struct {
 	Resources []*Resource `json:"resources" yaml:"resources" usage:"list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'"`
 	// Headers permits adding customs headers across the board
 	Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"`
+	// PreserveHost preserves the host header of the proxied request in the upstream request
+	PreserveHost bool `json:"preserve-host" yaml:"preserve-host" usage:"preserve the host header of the proxied request in the upstream request"`
 	// EnableLogoutRedirect indicates we should redirect to the identity provider for logging out
 	EnableLogoutRedirect bool `json:"enable-logout-redirect" yaml:"enable-logout-redirect" usage:"indicates we should redirect to the identity provider for logging out"`

--- a/forwarding.go
+++ b/forwarding.go
@@ -50,7 +50,7 @@ func (r *oauthProxy) proxyMiddleware(next http.Handler) http.Handler {
 		if v := req.Header.Get("Host"); v != "" {
 			req.Host = v
 			req.Header.Del("Host")
-		} else {
+		} else if !r.config.PreserveHost {
 			req.Host = r.endpoint.Host
 		}