mirror of
https://github.com/fatedier/frp.git
synced 2026-07-18 06:19:18 +08:00
feat(proxy): add HTTP to HTTPS redirection support
This commit is contained in:
@@ -39,11 +39,15 @@ var ErrNoRouteFound = errors.New("no route found")
|
||||
|
||||
type HTTPReverseProxyOptions struct {
|
||||
ResponseHeaderTimeoutS int64
|
||||
// HTTPSRedirector, if set, redirects requests whose host has no HTTP
|
||||
// route but opted into HTTP to HTTPS redirection.
|
||||
HTTPSRedirector *HTTPSRedirector
|
||||
}
|
||||
|
||||
type HTTPReverseProxy struct {
|
||||
proxy http.Handler
|
||||
vhostRouter *Routers
|
||||
proxy http.Handler
|
||||
vhostRouter *Routers
|
||||
httpsRedirector *HTTPSRedirector
|
||||
|
||||
responseHeaderTimeout time.Duration
|
||||
}
|
||||
@@ -55,6 +59,7 @@ func NewHTTPReverseProxy(option HTTPReverseProxyOptions, vhostRouter *Routers) *
|
||||
rp := &HTTPReverseProxy{
|
||||
responseHeaderTimeout: time.Duration(option.ResponseHeaderTimeoutS) * time.Second,
|
||||
vhostRouter: vhostRouter,
|
||||
httpsRedirector: option.HTTPSRedirector,
|
||||
}
|
||||
proxy := &httputil.ReverseProxy{
|
||||
// Modify incoming requests by route policies.
|
||||
@@ -281,6 +286,12 @@ func (rp *HTTPReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request)
|
||||
return
|
||||
}
|
||||
|
||||
// Hosts without any real HTTP route may still ask for a redirect to
|
||||
// their HTTPS endpoint; registered HTTP routes always take precedence.
|
||||
if rc == nil && rp.httpsRedirector != nil && rp.httpsRedirector.Redirect(rw, newreq) {
|
||||
return
|
||||
}
|
||||
|
||||
if req.Method == http.MethodConnect {
|
||||
rp.connectHandler(rw, newreq)
|
||||
} else {
|
||||
|
||||
83
pkg/util/vhost/https_redirect.go
Normal file
83
pkg/util/vhost/https_redirect.go
Normal file
@@ -0,0 +1,83 @@
|
||||
// Copyright 2026 The frp Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package vhost
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strconv"
|
||||
"sync"
|
||||
|
||||
httppkg "github.com/fatedier/frp/pkg/util/http"
|
||||
)
|
||||
|
||||
// HTTPSRedirector tracks domains of HTTPS proxies that opted into automatic
|
||||
// HTTP to HTTPS redirection. The HTTP reverse proxy consults it as a fallback
|
||||
// for hosts that have no real HTTP route, so registered HTTP proxies on the
|
||||
// same domain always take precedence over the redirect.
|
||||
type HTTPSRedirector struct {
|
||||
mu sync.RWMutex
|
||||
domains map[string]int // domain -> number of proxies requesting the redirect
|
||||
port int // port used in the redirect Location, as seen by browsers
|
||||
}
|
||||
|
||||
func NewHTTPSRedirector(port int) *HTTPSRedirector {
|
||||
return &HTTPSRedirector{
|
||||
domains: make(map[string]int),
|
||||
port: port,
|
||||
}
|
||||
}
|
||||
|
||||
func (r *HTTPSRedirector) Add(domain string) {
|
||||
r.mu.Lock()
|
||||
defer r.mu.Unlock()
|
||||
r.domains[domain]++
|
||||
}
|
||||
|
||||
func (r *HTTPSRedirector) Remove(domain string) {
|
||||
r.mu.Lock()
|
||||
defer r.mu.Unlock()
|
||||
if r.domains[domain] <= 1 {
|
||||
delete(r.domains, domain)
|
||||
} else {
|
||||
r.domains[domain]--
|
||||
}
|
||||
}
|
||||
|
||||
func (r *HTTPSRedirector) match(host string) bool {
|
||||
r.mu.RLock()
|
||||
defer r.mu.RUnlock()
|
||||
return r.domains[host] > 0
|
||||
}
|
||||
|
||||
// Redirect responds with a redirect to the HTTPS endpoint of the requested
|
||||
// host if the host opted into redirection. It reports whether the request
|
||||
// was handled.
|
||||
func (r *HTTPSRedirector) Redirect(rw http.ResponseWriter, req *http.Request) bool {
|
||||
if req.Method == http.MethodConnect {
|
||||
return false
|
||||
}
|
||||
host, err := httppkg.CanonicalHost(req.Host)
|
||||
if err != nil || !r.match(host) {
|
||||
return false
|
||||
}
|
||||
|
||||
target := "https://" + host
|
||||
if r.port != 443 {
|
||||
target += ":" + strconv.Itoa(r.port)
|
||||
}
|
||||
target += req.URL.RequestURI()
|
||||
http.Redirect(rw, req, target, http.StatusMovedPermanently)
|
||||
return true
|
||||
}
|
||||
46
pkg/util/vhost/https_redirect_test.go
Normal file
46
pkg/util/vhost/https_redirect_test.go
Normal file
@@ -0,0 +1,46 @@
|
||||
package vhost
|
||||
|
||||
import (
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestHTTPSRedirectorRedirect(t *testing.T) {
|
||||
r := NewHTTPSRedirector(443)
|
||||
r.Add("a.example.com")
|
||||
|
||||
// registered domain, port stripped from host, path and query preserved
|
||||
req := httptest.NewRequest("GET", "http://a.example.com:8080/foo?x=1", nil)
|
||||
rw := httptest.NewRecorder()
|
||||
require.True(t, r.Redirect(rw, req))
|
||||
require.Equal(t, 301, rw.Code)
|
||||
require.Equal(t, "https://a.example.com/foo?x=1", rw.Header().Get("Location"))
|
||||
|
||||
// unknown domain is not handled
|
||||
req = httptest.NewRequest("GET", "http://b.example.com/", nil)
|
||||
require.False(t, r.Redirect(httptest.NewRecorder(), req))
|
||||
}
|
||||
|
||||
func TestHTTPSRedirectorNonDefaultPort(t *testing.T) {
|
||||
r := NewHTTPSRedirector(8443)
|
||||
r.Add("a.example.com")
|
||||
|
||||
req := httptest.NewRequest("GET", "http://a.example.com/", nil)
|
||||
rw := httptest.NewRecorder()
|
||||
require.True(t, r.Redirect(rw, req))
|
||||
require.Equal(t, "https://a.example.com:8443/", rw.Header().Get("Location"))
|
||||
}
|
||||
|
||||
func TestHTTPSRedirectorRefCount(t *testing.T) {
|
||||
r := NewHTTPSRedirector(443)
|
||||
r.Add("a.example.com")
|
||||
r.Add("a.example.com")
|
||||
|
||||
r.Remove("a.example.com")
|
||||
require.True(t, r.match("a.example.com"), "domain removed while another proxy still references it")
|
||||
|
||||
r.Remove("a.example.com")
|
||||
require.False(t, r.match("a.example.com"))
|
||||
}
|
||||
Reference in New Issue
Block a user