httputil.ReverseProxy保留Host标头

本文讨论了如何使用 Go 语言的 httputil.ReverseProxy 创建一个反向代理服务器。作者遇到的问题是，尽管修改了请求标头，但 Host 标头仍会泄漏到后端服务器。经过调查，发现原因在于 url.host 的值仅在 request.host 为空的情况下使用。通过设置 request.host 为目标主机名，解决了 Host 标头泄漏问题。

我基本上是在尝试编写一个反向代理服务器，以便当我 curl localhost:8080/get 时，它会将请求代理到 https://nghttp2.org/httpbin/get。

注意：上面列出的 https://nghttp2.org/httpbin/get 服务是 http/2。但这种行为也会发生在 http/1 上，例如 https://httpbin.org/get。

我为此使用 httputil.reverseproxy，并且在自定义 host 标头时重写 url，以免将 localhost:8080 泄漏到实际后端。

但是，无论我在标头上设置多少次，请求仍然会通过 host: localhost:8080 到达后端。同样，我使用 mitmproxy 来监听请求，看起来 net/http.client 将 :authority 伪标头设置为 localhost:8080

这是我的源代码：

package main

import (
    "log"
    "net/http"
    "net/http/httputil"
)

func main() {
    proxy := &httputil.reverseproxy{
        transport: roundtripper(rt),
        director: func(req *http.request) {
            req.url.scheme = "https"
            req.url.host = "nghttp2.org"
            req.url.path = "/httpbin" + req.url.path
            req.header.set("host", "nghttp2.org") // <--- i set it here first
        },
    }
    log.fatal(http.listenandserve(":8080", proxy))
}

func rt(req *http.request) (*http.response, error) {
    log.printf("request received. url=%s", req.url)
    req.header.set("host", "nghttp2.org") // <--- i set it here as well
    defer log.printf("request complete. url=%s", req.url)

    return http.defaulttransport.roundtrip(req)
}


// roundtripper makes func signature a http.roundtripper
type roundtripper func(*http.request) (*http.response, error)
func (f roundtripper) roundtrip(req *http.request) (*http.response, error) { return f(req) }

当我查询 curl localhost:8080/get 时，请求被代理到 https://nghttp2.org/httpbin/get。回显的响应显然表明我设置 host 标头的指令没有执行任何操作：

{
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip",
    "Host": "localhost:8080",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "2601:602:9c02:16c2:fca3:aaab:3914:4a71",
  "url": "https://localhost:8080/httpbin/get"
}

mitmproxy 监听还清楚地表明该请求是通过 :authority 伪标头设置为 localhost:8080 发出的：

解决方案

来自http.request docs：

// for server requests, host specifies the host on which the url
        // is sought. per rfc 7230, section 5.4, this is either the value
        // of the "host" header or the host name given in the url itself.
        // it may be of the form "host:port". for international domain
        // names, host may be in punycode or unicode form. use
        // golang.org/x/net/idna to convert it to either format if
        // needed.
        // to prevent dns rebinding attacks, server handlers should
        // validate that the host header has a value for which the
        // handler considers itself authoritative. the included
        // servemux supports patterns registered to particular host
        // names and thus protects its registered handlers.
        //
        // for client requests, host optionally overrides the host
        // header to send. if empty, the request.write method uses
        // the value of url.host. host may contain an international
        // domain name.
        host string

因此，url.host 的值仅在 request.host 为空的情况下使用，但情况并非如此。设置 request.host 应该可以解决该问题：

req.Host = "nghttp2.org"

相关问题讨论here。

本篇关于《httputil.ReverseProxy保留Host标头》的介绍就到此结束啦，但是学无止境，想要了解学习更多关于Golang的相关知识，请关注golang学习网公众号！