diff --git a/app/vmauth/auth_config.go b/app/vmauth/auth_config.go index c299a6f66..a5fea2785 100644 --- a/app/vmauth/auth_config.go +++ b/app/vmauth/auth_config.go @@ -83,6 +83,7 @@ type UserInfo struct { concurrencyLimitCh chan struct{} concurrencyLimitReached *metrics.Counter + overrideHostHeader bool rt http.RoundTripper @@ -149,6 +150,15 @@ func (h *Header) MarshalYAML() (interface{}, error) { return h.sOriginal, nil } +func overrideHostHeader(headers []*Header) bool { + for _, h := range headers { + if h.Name == "Host" && h.Value == "" { + return true + } + } + return false +} + // URLMap is a mapping from source paths to target urls. type URLMap struct { // SrcPaths is an optional list of regular expressions, which must match the request path. @@ -738,6 +748,7 @@ func parseAuthConfig(data []byte) (*AuthConfig, error) { if err := ui.initURLs(); err != nil { return nil, err } + ui.overrideHostHeader = overrideHostHeader(ui.HeadersConf.RequestHeaders) metricLabels, err := ui.getMetricLabels() if err != nil { @@ -802,6 +813,7 @@ func parseAuthConfigUsers(ac *AuthConfig) (map[string]*UserInfo, error) { _ = ac.ms.GetOrCreateGauge(`vmauth_user_concurrent_requests_current`+metricLabels, func() float64 { return float64(len(ui.concurrencyLimitCh)) }) + ui.overrideHostHeader = overrideHostHeader(ui.HeadersConf.RequestHeaders) rt, err := newRoundTripper(ui.TLSCAFile, ui.TLSCertFile, ui.TLSKeyFile, ui.TLSServerName, ui.TLSInsecureSkipVerify) if err != nil { diff --git a/app/vmauth/main.go b/app/vmauth/main.go index 9611b19a5..ddc8a5dff 100644 --- a/app/vmauth/main.go +++ b/app/vmauth/main.go @@ -235,7 +235,7 @@ func tryProcessingRequest(w http.ResponseWriter, r *http.Request, targetURL *url req := sanitizeRequestHeaders(r) req.URL = targetURL - if req.URL.Scheme == "https" { + if req.URL.Scheme == "https" || ui.overrideHostHeader { // Override req.Host only for https requests, since https server verifies hostnames during TLS handshake, // so it expects the targetURL.Host in the request. // There is no need in overriding the req.Host for http requests, since it is expected that backend server diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 877514c67..c548e0283 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -29,6 +29,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/). ## tip +* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow overriding `Host` header with a target host before sending to a downstream. See this [issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/6453) * FEATURE: [dashboards](https://grafana.com/orgs/victoriametrics): add [Grafana dashboard](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/dashboards/vmauth.json) and [alerting rules](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/deployment/docker/alerts-vmauth.yml) for [vmauth](https://docs.victoriametrics.com/vmauth/) dashboard. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4313) for details. * BUGFIX: [docker-compose](https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/deployment/docker#docker-compose-environment-for-victoriametrics): fix incorrect link to vmui from [VictoriaMetrics plugin in Grafana](https://github.com/VictoriaMetrics/VictoriaMetrics/tree/master/deployment/docker#grafana). diff --git a/docs/vmauth.md b/docs/vmauth.md index e296220a9..16defc06e 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -647,6 +647,15 @@ unauthorized_user: - "X-Forwarded-For:" ``` +it's also possible to update `Host` header to a backend's host name + +```yaml +unauthorized_user: + url_prefix: "http://backend:1234/" + headers: + - "Host:" # Update host header to a backend's host +``` + `vmauth` also supports the ability to set and remove HTTP response headers before returning the response from the backend to client. This is done via `response_headers` option. For example, the following [`-auth.config`](#auth-config) sets `Foo: bar` response header and removes `Server` response header before returning the response to client: