Problème de redirection #44

New Issue

mlamalle · 2024-10-21T11:25:50+02:00

mlamalle commented

2024-10-21 11:25:50 +02:00

Lorsque j'ai plusieurs layer rewriter, utilisant les méthode get_cookie et redirect, il y a un comportement étrange où lorsqu'on accède au deuxième proxy, on est redirigé vers la redirection définie dans le premier proxy.

Exemple pour reproduire
oidc.yml

from: ["*/outage*"]
to: https://mondomaine.com
enabled: true
weight: 0
recreate: true
layers:
  rewriter:
    type: rewriter
    enabled: true
    weight: 100
    options:
      rules:
        request:
        - set_host(ctx, vars.request.url.host)
        - set_url(ctx, vars.request.raw_url)
        - |
          let cook = get_cookie(ctx, "mon_cookie");
          cook == nil ? redirect(ctx, 302, "http://localhost:8090/outage") : nil
  oidc:
    type: authn-oidc
    enabled: true
    weight: 0
    options:
      oidc:
        clientId: "8636b166-b828-467f-b65c-aa051eb5a341"
        clientSecret: "gto_mcio6k5tzahyud5qgcll7pn6vzzkzenfurkp3tywrmi65vgdg44a"
        issuerURL: https://forge.cadoles.com/
        loginCallbackPath: ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback"
        publicBaseURL: "http://localhost:8090/outage"
        postLogoutRedirectURLs:
          - http://localhost:8080
        scopes: ["profile", "openid", "email"]
        authParams:
          acr_values: "eidas2"
      cookie:
        maxAge: 60m

oidc2.yml

from: ["*/depot*"]
to: https://mondomaine.com

enabled: true
weight: 200
recreate: true
layers:
  rewriter:
    type: rewriter
    enabled: true
    weight: 100
    options:
      rules:
        request:
        - set_host(ctx, vars.request.url.host)
        - set_url(ctx, vars.request.raw_url)
        - |
          let cook = get_cookie(ctx, "mon_cookie");
          cook == nil ? redirect(ctx, 302, "http://localhost:8090/depot") : nil
  oidc:
    type: authn-oidc
    enabled: true
    weight: 0
    options:
      oidc:
        clientId: "8636b166-b828-467f-b65c-aa051eb5a341"
        clientSecret: "gto_mcio6k5tzahyud5qgcll7pn6vzzkzenfurkp3tywrmi65vgdg44a"
        issuerURL: https://forge.cadoles.com/
        loginCallbackPath: ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback"
        publicBaseURL: "http://localhost:8090/depot"
        postLogoutRedirectURLs:
          - http://localhost:8080
        scopes: ["profile", "openid", "email"]
        authParams:
          acr_values: "eidas2"
      cookie:
        maxAge: 60m

oidc3.yml

from: ["*/suivi*"]
to: https://mondomaine.com
enabled: true
weight: 200
recreate: true
layers:
  rewriter:
    type: rewriter
    enabled: true
    weight: 100
    options:
      rules:
        request:
        - set_host(ctx, vars.request.url.host)
        - set_url(ctx, vars.request.raw_url)
        - |
          let cook = get_cookie(ctx, "mon_cookie");
          cook == nil ? redirect(ctx, 302, "http://localhost:8090/suivi) : nil
  oidc:
    type: authn-oidc
    enabled: true
    weight: 0
    options:
      oidc:
        clientId: "8636b166-b828-467f-b65c-aa051eb5a341"
        clientSecret: "gto_mcio6k5tzahyud5qgcll7pn6vzzkzenfurkp3tywrmi65vgdg44a"
        issuerURL: https://forge.cadoles.com/
        loginCallbackPath: ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback"
        publicBaseURL: "http://localhost:8090/suivi"
        postLogoutRedirectURLs:
          - http://localhost:8080
        scopes: ["profile", "openid", "email"]
        authParams:
          acr_values: "eidas2"
      cookie:
        maxAge: 60m

Accéder à http://localhost:8090/depot => OK
Accéder à http://localhost:8090/suivi => redirige sur /depot

Lorsque j'ai plusieurs layer `rewriter`, utilisant les méthode `get_cookie` et `redirect`, il y a un comportement étrange où lorsqu'on accède au deuxième proxy, on est redirigé vers la redirection définie dans le premier proxy. Exemple pour reproduire oidc.yml ``` from: ["*/outage*"] to: https://mondomaine.com enabled: true weight: 0 recreate: true layers: rewriter: type: rewriter enabled: true weight: 100 options: rules: request: - set_host(ctx, vars.request.url.host) - set_url(ctx, vars.request.raw_url) - | let cook = get_cookie(ctx, "mon_cookie"); cook == nil ? redirect(ctx, 302, "http://localhost:8090/outage") : nil oidc: type: authn-oidc enabled: true weight: 0 options: oidc: clientId: "8636b166-b828-467f-b65c-aa051eb5a341" clientSecret: "gto_mcio6k5tzahyud5qgcll7pn6vzzkzenfurkp3tywrmi65vgdg44a" issuerURL: https://forge.cadoles.com/ loginCallbackPath: ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback" publicBaseURL: "http://localhost:8090/outage" postLogoutRedirectURLs: - http://localhost:8080 scopes: ["profile", "openid", "email"] authParams: acr_values: "eidas2" cookie: maxAge: 60m ``` oidc2.yml ``` from: ["*/depot*"] to: https://mondomaine.com enabled: true weight: 200 recreate: true layers: rewriter: type: rewriter enabled: true weight: 100 options: rules: request: - set_host(ctx, vars.request.url.host) - set_url(ctx, vars.request.raw_url) - | let cook = get_cookie(ctx, "mon_cookie"); cook == nil ? redirect(ctx, 302, "http://localhost:8090/depot") : nil oidc: type: authn-oidc enabled: true weight: 0 options: oidc: clientId: "8636b166-b828-467f-b65c-aa051eb5a341" clientSecret: "gto_mcio6k5tzahyud5qgcll7pn6vzzkzenfurkp3tywrmi65vgdg44a" issuerURL: https://forge.cadoles.com/ loginCallbackPath: ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback" publicBaseURL: "http://localhost:8090/depot" postLogoutRedirectURLs: - http://localhost:8080 scopes: ["profile", "openid", "email"] authParams: acr_values: "eidas2" cookie: maxAge: 60m ``` oidc3.yml ``` from: ["*/suivi*"] to: https://mondomaine.com enabled: true weight: 200 recreate: true layers: rewriter: type: rewriter enabled: true weight: 100 options: rules: request: - set_host(ctx, vars.request.url.host) - set_url(ctx, vars.request.raw_url) - | let cook = get_cookie(ctx, "mon_cookie"); cook == nil ? redirect(ctx, 302, "http://localhost:8090/suivi) : nil oidc: type: authn-oidc enabled: true weight: 0 options: oidc: clientId: "8636b166-b828-467f-b65c-aa051eb5a341" clientSecret: "gto_mcio6k5tzahyud5qgcll7pn6vzzkzenfurkp3tywrmi65vgdg44a" issuerURL: https://forge.cadoles.com/ loginCallbackPath: ".bouncer/authn/oidc/{{ .ProxyName }}/{{ .LayerName }}/callback" publicBaseURL: "http://localhost:8090/suivi" postLogoutRedirectURLs: - http://localhost:8080 scopes: ["profile", "openid", "email"] authParams: acr_values: "eidas2" cookie: maxAge: 60m ``` Accéder à `http://localhost:8090/depot` => OK Accéder à `http://localhost:8090/suivi` => redirige sur `/depot`

wpetit referenced this issue from a commit

2024-10-21 13:49:38 +02:00

fix(rewriter): prevent mixing of cached rule engines (#44)

wpetit referenced this issue

2024-10-21 14:02:21 +02:00

fix(rewriter): prevent mixing of cached rule engines (#44) #45

wpetit referenced this issue from a commit

2024-10-21 14:07:53 +02:00

Merge pull request 'fix(rewriter): prevent mixing of cached rule engines (#44)' (#45) from issue-44 into develop

wpetit commented

2024-10-21 14:08:20 +02:00

Corrigé via #45