From f8893807860e55c935c9a44142032cc4137b5b9d Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Tue, 30 Apr 2024 14:33:50 -0400 Subject: [PATCH 1/4] add 'no_forwarder' configuration option to the frontend configuration to avoid adding x-forwarded-for (#609) --- endpoints/publicProxy/config.go | 13 +++++++------ endpoints/publicProxy/http.go | 3 +++ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/endpoints/publicProxy/config.go b/endpoints/publicProxy/config.go index 54710c0ba..3f400ddd5 100644 --- a/endpoints/publicProxy/config.go +++ b/endpoints/publicProxy/config.go @@ -12,12 +12,13 @@ import ( const V = 3 type Config struct { - V int - Identity string - Address string - HostMatch string - Oauth *OauthConfig - Tls *endpoints.TlsConfig + V int + Identity string + Address string + HostMatch string + NoForwarder bool + Oauth *OauthConfig + Tls *endpoints.TlsConfig } type OauthConfig struct { diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go index 60fc44384..5eb516768 100644 --- a/endpoints/publicProxy/http.go +++ b/endpoints/publicProxy/http.go @@ -106,6 +106,9 @@ func newServiceProxy(cfg *Config, ctx ziti.Context) (*httputil.ReverseProxy, err director := proxy.Director proxy.Director = func(req *http.Request) { director(req) + if cfg.NoForwarder { + req.Header["X-Forwarded-For"] = nil + } req.Header.Set("X-Proxy", "zrok") } proxy.ModifyResponse = func(resp *http.Response) error { From 1069d55b800d6cd9bb8a982c795be68a61d25f19 Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Tue, 30 Apr 2024 14:41:23 -0400 Subject: [PATCH 2/4] CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3428d5ea5..308de50ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## v0.4.28 +FEATURE: Added `no_forwarder` option to the public frontend configuration to avoid setting client addresses of intermediate infrastructure (https://github.com/openziti/zrok/issues/609) + CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container. CHANGE: the Docker sharing guides were simplified and expanded From 49652292b10a8f06ee0993a85367e51d1676f7a1 Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 1 May 2024 16:05:20 -0400 Subject: [PATCH 3/4] changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68c2455b6..e58be3db4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,8 @@ FEATURE: A Docker Compose project for self-hosting a zrok instance and [accompan FEATURE: Added `no_forwarder` option to the public frontend configuration to avoid setting client addresses of intermediate infrastructure (https://github.com/openziti/zrok/issues/609) +FEATURE: Node.js support for the zrok SDK (https://github.com/openziti/zrok/issues/400) + CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container. CHANGE: the Docker sharing guides were simplified and expanded From 47f68c524477cef2044a27361bb4277d034d3d43 Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Mon, 6 May 2024 13:20:56 -0400 Subject: [PATCH 4/4] redundant changelog entry --- CHANGELOG.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 357bf7f33..214e0b332 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,8 +8,6 @@ FEATURE: A Docker Compose project for self-hosting a zrok instance and [accompan FEATURE: Added `no_forwarder` option to the public frontend configuration to avoid setting client addresses of intermediate infrastructure (https://github.com/openziti/zrok/issues/609) -FEATURE: Node.js support for the zrok SDK (https://github.com/openziti/zrok/issues/400) - CHANGE: the container images run as "ziggy" (UID 2171) instead of the generic restricted user "nobody" (UID 65534). This reduces the risk of unexpected file permissions when binding the Docker host's filesystem to a zrok container. CHANGE: the Docker sharing guides were simplified and expanded