frontend.go 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
  1. package httpservers
  2. /*
  3. This file implements a very simple, lightweight reverse proxy so that REST and
  4. the webui can be accessed from a single endpoint.
  5. This makes external reverse proxies (treafik, haproxy, etc) easier, CORS goes
  6. away, and several other issues.
  7. */
  8. import (
  9. "net/http"
  10. "net/http/httputil"
  11. "net/url"
  12. "path"
  13. "strings"
  14. "github.com/OliveTin/OliveTin/internal/api"
  15. "github.com/OliveTin/OliveTin/internal/auth"
  16. "github.com/OliveTin/OliveTin/internal/auth/otoauth2"
  17. config "github.com/OliveTin/OliveTin/internal/config"
  18. "github.com/OliveTin/OliveTin/internal/executor"
  19. "github.com/OliveTin/OliveTin/internal/webhooks"
  20. log "github.com/sirupsen/logrus"
  21. )
  22. func applySecurityHeaders(cfg *config.Config, w http.ResponseWriter) {
  23. applyCSP(cfg, w)
  24. applyXContentTypeOptions(cfg, w)
  25. applyXFrameOptions(cfg, w)
  26. }
  27. func applyCSP(cfg *config.Config, w http.ResponseWriter) {
  28. if !cfg.Security.HeaderContentSecurityPolicy || cfg.Security.ContentSecurityPolicy == "" {
  29. return
  30. }
  31. w.Header().Set("Content-Security-Policy", cfg.Security.ContentSecurityPolicy)
  32. }
  33. func applyXContentTypeOptions(cfg *config.Config, w http.ResponseWriter) {
  34. if !cfg.Security.HeaderXContentTypeOptions {
  35. return
  36. }
  37. w.Header().Set("X-Content-Type-Options", "nosniff")
  38. }
  39. func applyXFrameOptions(cfg *config.Config, w http.ResponseWriter) {
  40. if !cfg.Security.HeaderXFrameOptions || cfg.Security.XFrameOptions == "" {
  41. return
  42. }
  43. w.Header().Set("X-Frame-Options", cfg.Security.XFrameOptions)
  44. }
  45. func securityHeadersMiddleware(cfg *config.Config, next http.Handler) http.Handler {
  46. return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  47. applySecurityHeaders(cfg, w)
  48. next.ServeHTTP(w, r)
  49. })
  50. }
  51. func isSensitiveLogHeaderName(name string) bool {
  52. switch strings.ToLower(name) {
  53. case "authorization", "cookie", "x-forwarded-access-token":
  54. return true
  55. default:
  56. return false
  57. }
  58. }
  59. func redactHeaderValuesForLog(name string, values []string) []string {
  60. if !isSensitiveLogHeaderName(name) {
  61. return values
  62. }
  63. out := make([]string, len(values))
  64. for i := range values {
  65. out[i] = "[redacted]"
  66. }
  67. return out
  68. }
  69. func logDebugRequest(cfg *config.Config, source string, r *http.Request) {
  70. if cfg.LogDebugOptions.SingleFrontendRequests {
  71. log.Debugf("SingleFrontend HTTP Req URL %v: %q", source, r.URL)
  72. if cfg.LogDebugOptions.SingleFrontendRequestHeaders {
  73. for name, values := range r.Header {
  74. log.Debugf("SingleFrontend HTTP Req Hdr: %v = %v", name, redactHeaderValuesForLog(name, values))
  75. }
  76. }
  77. }
  78. }
  79. func StartFrontendMux(cfg *config.Config, ex *executor.Executor) {
  80. log.WithFields(log.Fields{
  81. "address": cfg.ListenAddressSingleHTTPFrontend,
  82. }).Info("Starting single HTTP frontend")
  83. go StartPrometheus(cfg)
  84. mux := http.NewServeMux()
  85. apiPath, apiHandler := api.GetNewHandler(ex)
  86. log.Infof("API path is %s", apiPath)
  87. mux.Handle("/api/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  88. fn := path.Base(r.URL.Path)
  89. // Translate /api/foo/bar to /api/bar - this preserves compatibility
  90. // with OliveTin 2k.
  91. r.URL.Path = apiPath + fn
  92. log.WithFields(log.Fields{
  93. "path": r.URL.Path,
  94. }).Tracef("SingleFrontend HTTP API Req URL after rewrite")
  95. logDebugRequest(cfg, "api", r)
  96. apiHandler.ServeHTTP(w, r)
  97. }))
  98. oauth2handler := otoauth2.NewOAuth2Handler(cfg)
  99. auth.AddAuthChainFunction(oauth2handler.CheckUserFromOAuth2Cookie)
  100. auth.RegisterOAuth2SessionRevoker(oauth2handler.RevokeSession)
  101. mux.HandleFunc("/oauth/login", oauth2handler.HandleOAuthLogin)
  102. mux.HandleFunc("/oauth/callback", oauth2handler.HandleOAuthCallback)
  103. mux.HandleFunc("/readyz", handleReadyz)
  104. webhookHandler := webhooks.NewWebhookHandler(cfg, ex)
  105. mux.HandleFunc("/webhooks", webhookHandler.HandleWebhook)
  106. mux.HandleFunc("/webhooks/", webhookHandler.HandleWebhook)
  107. webuiServer := NewWebUIServer(cfg)
  108. mux.HandleFunc("/theme.css", webuiServer.generateThemeCss)
  109. mux.Handle("/custom-webui/", webuiServer.handleCustomWebui())
  110. mux.HandleFunc("/", webuiServer.handleWebui)
  111. if cfg.Prometheus.Enabled {
  112. promURL, _ := url.Parse("http://" + cfg.ListenAddressPrometheus)
  113. promProxy := httputil.NewSingleHostReverseProxy(promURL)
  114. mux.HandleFunc("/metrics", func(w http.ResponseWriter, r *http.Request) {
  115. logDebugRequest(cfg, "prom", r)
  116. promProxy.ServeHTTP(w, r)
  117. })
  118. }
  119. srv := &http.Server{
  120. Addr: cfg.ListenAddressSingleHTTPFrontend,
  121. Handler: securityHeadersMiddleware(cfg, mux),
  122. }
  123. log.Fatal(srv.ListenAndServe())
  124. }
  125. func handleReadyz(w http.ResponseWriter, r *http.Request) {
  126. w.Header().Set("Content-Type", "text/plain; charset=utf-8")
  127. w.WriteHeader(http.StatusOK)
  128. _, err := w.Write([]byte("OK. Single HTTP Frontend is ready.\n"))
  129. if err != nil {
  130. log.WithFields(log.Fields{
  131. "error": err,
  132. }).Warnf("Failed to write readyz response")
  133. }
  134. }