| /* |
| Copyright 2014 The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| package proxy |
| |
| import ( |
| "bytes" |
| "compress/gzip" |
| "fmt" |
| "io" |
| "io/ioutil" |
| "net/http" |
| "net/url" |
| "path" |
| "strings" |
| |
| "golang.org/x/net/html" |
| "golang.org/x/net/html/atom" |
| "k8s.io/klog" |
| |
| "k8s.io/apimachinery/pkg/util/net" |
| "k8s.io/apimachinery/pkg/util/sets" |
| ) |
| |
| // atomsToAttrs states which attributes of which tags require URL substitution. |
| // Sources: http://www.w3.org/TR/REC-html40/index/attributes.html |
| // http://www.w3.org/html/wg/drafts/html/master/index.html#attributes-1 |
| var atomsToAttrs = map[atom.Atom]sets.String{ |
| atom.A: sets.NewString("href"), |
| atom.Applet: sets.NewString("codebase"), |
| atom.Area: sets.NewString("href"), |
| atom.Audio: sets.NewString("src"), |
| atom.Base: sets.NewString("href"), |
| atom.Blockquote: sets.NewString("cite"), |
| atom.Body: sets.NewString("background"), |
| atom.Button: sets.NewString("formaction"), |
| atom.Command: sets.NewString("icon"), |
| atom.Del: sets.NewString("cite"), |
| atom.Embed: sets.NewString("src"), |
| atom.Form: sets.NewString("action"), |
| atom.Frame: sets.NewString("longdesc", "src"), |
| atom.Head: sets.NewString("profile"), |
| atom.Html: sets.NewString("manifest"), |
| atom.Iframe: sets.NewString("longdesc", "src"), |
| atom.Img: sets.NewString("longdesc", "src", "usemap"), |
| atom.Input: sets.NewString("src", "usemap", "formaction"), |
| atom.Ins: sets.NewString("cite"), |
| atom.Link: sets.NewString("href"), |
| atom.Object: sets.NewString("classid", "codebase", "data", "usemap"), |
| atom.Q: sets.NewString("cite"), |
| atom.Script: sets.NewString("src"), |
| atom.Source: sets.NewString("src"), |
| atom.Video: sets.NewString("poster", "src"), |
| |
| // TODO: css URLs hidden in style elements. |
| } |
| |
| // Transport is a transport for text/html content that replaces URLs in html |
| // content with the prefix of the proxy server |
| type Transport struct { |
| Scheme string |
| Host string |
| PathPrepend string |
| |
| http.RoundTripper |
| } |
| |
| // RoundTrip implements the http.RoundTripper interface |
| func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { |
| // Add reverse proxy headers. |
| forwardedURI := path.Join(t.PathPrepend, req.URL.Path) |
| if strings.HasSuffix(req.URL.Path, "/") { |
| forwardedURI = forwardedURI + "/" |
| } |
| req.Header.Set("X-Forwarded-Uri", forwardedURI) |
| if len(t.Host) > 0 { |
| req.Header.Set("X-Forwarded-Host", t.Host) |
| } |
| if len(t.Scheme) > 0 { |
| req.Header.Set("X-Forwarded-Proto", t.Scheme) |
| } |
| |
| rt := t.RoundTripper |
| if rt == nil { |
| rt = http.DefaultTransport |
| } |
| resp, err := rt.RoundTrip(req) |
| |
| if err != nil { |
| message := fmt.Sprintf("Error: '%s'\nTrying to reach: '%v'", err.Error(), req.URL.String()) |
| resp = &http.Response{ |
| StatusCode: http.StatusServiceUnavailable, |
| Body: ioutil.NopCloser(strings.NewReader(message)), |
| } |
| return resp, nil |
| } |
| |
| if redirect := resp.Header.Get("Location"); redirect != "" { |
| resp.Header.Set("Location", t.rewriteURL(redirect, req.URL, req.Host)) |
| return resp, nil |
| } |
| |
| cType := resp.Header.Get("Content-Type") |
| cType = strings.TrimSpace(strings.SplitN(cType, ";", 2)[0]) |
| if cType != "text/html" { |
| // Do nothing, simply pass through |
| return resp, nil |
| } |
| |
| return t.rewriteResponse(req, resp) |
| } |
| |
| var _ = net.RoundTripperWrapper(&Transport{}) |
| |
| func (rt *Transport) WrappedRoundTripper() http.RoundTripper { |
| return rt.RoundTripper |
| } |
| |
| // rewriteURL rewrites a single URL to go through the proxy, if the URL refers |
| // to the same host as sourceURL, which is the page on which the target URL |
| // occurred, or if the URL matches the sourceRequestHost. If any error occurs (e.g. |
| // parsing), it returns targetURL. |
| func (t *Transport) rewriteURL(targetURL string, sourceURL *url.URL, sourceRequestHost string) string { |
| url, err := url.Parse(targetURL) |
| if err != nil { |
| return targetURL |
| } |
| |
| // Example: |
| // When API server processes a proxy request to a service (e.g. /api/v1/namespace/foo/service/bar/proxy/), |
| // the sourceURL.Host (i.e. req.URL.Host) is the endpoint IP address of the service. The |
| // sourceRequestHost (i.e. req.Host) is the Host header that specifies the host on which the |
| // URL is sought, which can be different from sourceURL.Host. For example, if user sends the |
| // request through "kubectl proxy" locally (i.e. localhost:8001/api/v1/namespace/foo/service/bar/proxy/), |
| // sourceRequestHost is "localhost:8001". |
| // |
| // If the service's response URL contains non-empty host, and url.Host is equal to either sourceURL.Host |
| // or sourceRequestHost, we should not consider the returned URL to be a completely different host. |
| // It's the API server's responsibility to rewrite a same-host-and-absolute-path URL and append the |
| // necessary URL prefix (i.e. /api/v1/namespace/foo/service/bar/proxy/). |
| isDifferentHost := url.Host != "" && url.Host != sourceURL.Host && url.Host != sourceRequestHost |
| isRelative := !strings.HasPrefix(url.Path, "/") |
| if isDifferentHost || isRelative { |
| return targetURL |
| } |
| |
| // Do not rewrite scheme and host if the Transport has empty scheme and host |
| // when targetURL already contains the sourceRequestHost |
| if !(url.Host == sourceRequestHost && t.Scheme == "" && t.Host == "") { |
| url.Scheme = t.Scheme |
| url.Host = t.Host |
| } |
| |
| origPath := url.Path |
| // Do not rewrite URL if the sourceURL already contains the necessary prefix. |
| if strings.HasPrefix(url.Path, t.PathPrepend) { |
| return url.String() |
| } |
| url.Path = path.Join(t.PathPrepend, url.Path) |
| if strings.HasSuffix(origPath, "/") { |
| // Add back the trailing slash, which was stripped by path.Join(). |
| url.Path += "/" |
| } |
| |
| return url.String() |
| } |
| |
| // rewriteHTML scans the HTML for tags with url-valued attributes, and updates |
| // those values with the urlRewriter function. The updated HTML is output to the |
| // writer. |
| func rewriteHTML(reader io.Reader, writer io.Writer, urlRewriter func(string) string) error { |
| // Note: This assumes the content is UTF-8. |
| tokenizer := html.NewTokenizer(reader) |
| |
| var err error |
| for err == nil { |
| tokenType := tokenizer.Next() |
| switch tokenType { |
| case html.ErrorToken: |
| err = tokenizer.Err() |
| case html.StartTagToken, html.SelfClosingTagToken: |
| token := tokenizer.Token() |
| if urlAttrs, ok := atomsToAttrs[token.DataAtom]; ok { |
| for i, attr := range token.Attr { |
| if urlAttrs.Has(attr.Key) { |
| token.Attr[i].Val = urlRewriter(attr.Val) |
| } |
| } |
| } |
| _, err = writer.Write([]byte(token.String())) |
| default: |
| _, err = writer.Write(tokenizer.Raw()) |
| } |
| } |
| if err != io.EOF { |
| return err |
| } |
| return nil |
| } |
| |
| // rewriteResponse modifies an HTML response by updating absolute links referring |
| // to the original host to instead refer to the proxy transport. |
| func (t *Transport) rewriteResponse(req *http.Request, resp *http.Response) (*http.Response, error) { |
| origBody := resp.Body |
| defer origBody.Close() |
| |
| newContent := &bytes.Buffer{} |
| var reader io.Reader = origBody |
| var writer io.Writer = newContent |
| encoding := resp.Header.Get("Content-Encoding") |
| switch encoding { |
| case "gzip": |
| var err error |
| reader, err = gzip.NewReader(reader) |
| if err != nil { |
| return nil, fmt.Errorf("errorf making gzip reader: %v", err) |
| } |
| gzw := gzip.NewWriter(writer) |
| defer gzw.Close() |
| writer = gzw |
| // TODO: support flate, other encodings. |
| case "": |
| // This is fine |
| default: |
| // Some encoding we don't understand-- don't try to parse this |
| klog.Errorf("Proxy encountered encoding %v for text/html; can't understand this so not fixing links.", encoding) |
| return resp, nil |
| } |
| |
| urlRewriter := func(targetUrl string) string { |
| return t.rewriteURL(targetUrl, req.URL, req.Host) |
| } |
| err := rewriteHTML(reader, writer, urlRewriter) |
| if err != nil { |
| klog.Errorf("Failed to rewrite URLs: %v", err) |
| return resp, err |
| } |
| |
| resp.Body = ioutil.NopCloser(newContent) |
| // Update header node with new content-length |
| // TODO: Remove any hash/signature headers here? |
| resp.Header.Del("Content-Length") |
| resp.ContentLength = int64(newContent.Len()) |
| |
| return resp, err |
| } |