make http host header configurable when doing whawty remote upgrades …

…and for revocation sync
whawty · Nov 29, 2023 · e2f9df1 · e2f9df1
1 parent 3661bc1
commit e2f9df1
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 19 deletions.
diff --git a/auth/backend_whawty.go b/auth/backend_whawty.go
@@ -53,18 +53,20 @@ type WhawtyAuthConfig struct {
 	ConfigFile     string `yaml:"store"`
 	AutoReload     bool   `yaml:"autoreload"`
 	RemoteUpgrades *struct {
-		URL string               `yaml:"url"`
-		TLS *tlsconfig.TLSConfig `yaml:"tls"`
+		URL      string               `yaml:"url"`
+		HTTPHost string               `yaml:"http-host"`
+		TLS      *tlsconfig.TLSConfig `yaml:"tls"`
 	} `yaml:"remote-upgrades"`
 }
 
 type WhawtyAuthBackend struct {
-	store          *store.Dir
-	storeMutex     sync.RWMutex
-	upgradeChan    chan whawtyUpgradeRequest
-	upgradeTLSConf *tls.Config
-	infoLog        *log.Logger
-	dbgLog         *log.Logger
+	store           *store.Dir
+	storeMutex      sync.RWMutex
+	upgradeChan     chan whawtyUpgradeRequest
+	upgradeHTTPHost string
+	upgradeTLSConf  *tls.Config
+	infoLog         *log.Logger
+	dbgLog          *log.Logger
 }
 
 func NewWhawtyAuthBackend(conf *WhawtyAuthConfig, infoLog, dbgLog *log.Logger) (Backend, error) {
@@ -85,6 +87,7 @@ func NewWhawtyAuthBackend(conf *WhawtyAuthConfig, infoLog, dbgLog *log.Logger) (
 				return nil, fmt.Errorf("whawty-auth: remote-upgrade: %v", err)
 			}
 		}
+		b.upgradeHTTPHost = conf.RemoteUpgrades.HTTPHost
 		err = b.runRemoteUpgrader(conf.RemoteUpgrades.URL)
 		if err != nil {
 			return nil, err
@@ -104,13 +107,14 @@ type whawtyUpgradeRequest struct {
 	NewPassword string `json:"newpassword,omitempty"`
 }
 
-func remoteHTTPUpgrade(upgrade whawtyUpgradeRequest, remote string, client *http.Client, infoLog, dbgLog *log.Logger) {
+func remoteHTTPUpgrade(upgrade whawtyUpgradeRequest, remote, httpHost string, client *http.Client, infoLog, dbgLog *log.Logger) {
 	reqdata, err := json.Marshal(upgrade)
 	if err != nil {
 		infoLog.Printf("whawty-auth: error while encoding remote-upgrade request: %v", err)
 		return
 	}
 	req, _ := http.NewRequest("POST", remote, bytes.NewReader(reqdata))
+	req.Host = httpHost
 	req.Header.Set("Content-Type", "application/json")
 	resp, err := client.Do(req)
 	if err != nil {
@@ -124,15 +128,15 @@ func remoteHTTPUpgrade(upgrade whawtyUpgradeRequest, remote string, client *http
 	}
 }
 
-func remoteHTTPUpgrader(upgradeChan <-chan whawtyUpgradeRequest, remote string, client *http.Client, infoLog, dbgLog *log.Logger) {
+func remoteHTTPUpgrader(upgradeChan <-chan whawtyUpgradeRequest, remote, httpHost string, client *http.Client, infoLog, dbgLog *log.Logger) {
 	sem := make(chan bool, MaxConcurrentRemoteUpgrades)
 	for upgrade := range upgradeChan {
 		select {
 		case sem <- true:
 			dbgLog.Printf("whawty-auth: upgrading '%s' via %s", upgrade.Username, remote)
 			go func(upgrade whawtyUpgradeRequest, remote string) {
 				defer func() { <-sem }()
-				remoteHTTPUpgrade(upgrade, remote, client, infoLog, dbgLog)
+				remoteHTTPUpgrade(upgrade, remote, httpHost, client, infoLog, dbgLog)
 			}(upgrade, remote)
 		default:
 			dbgLog.Printf("whawty-auth: ignoring upgrade request for '%s' due to rate-limiting", upgrade.Username)
@@ -162,7 +166,7 @@ func (b *WhawtyAuthBackend) runRemoteUpgrader(remote string) error {
 	default:
 		return fmt.Errorf("whawty-auth: invalid upgrade url: %s", remote)
 	}
-	go remoteHTTPUpgrader(b.upgradeChan, remote, httpClient, b.infoLog, b.dbgLog)
+	go remoteHTTPUpgrader(b.upgradeChan, remote, b.upgradeHTTPHost, httpClient, b.infoLog, b.dbgLog)
 	return nil
 }
 

diff --git a/contrib/sample-cfg.yml b/contrib/sample-cfg.yml
@@ -36,6 +36,7 @@ cookie:
     # sync:
     #   interval: 10s
     #   base-url: https://localhost:1234
+    #   http-host: login.example.com
     #   token: this-is-a-very-secret-token
     #   tls:
     #     insecure-skip-verify: true
@@ -62,8 +63,10 @@ auth:
   #   autoreload: yes
   #   remote-upgrades:
   #     url: http://127.0.0.1:2345/api/update
+  #     http-host: passwd.example.com
   #     tls:
   #       insecure-skip-verify: true
+  #       server-name: passwd.example.com
   #       ca-certificates-data: |
   #         -----BEGIN CERTIFICATE-----
   #         ...

diff --git a/cookie/store.go b/cookie/store.go
@@ -57,6 +57,7 @@ type SignerVerifierConfig struct {
 type StoreSyncConfig struct {
 	Interval  time.Duration        `yaml:"interval"`
 	BaseURL   string               `yaml:"base-url"`
+	HTTPHost  string               `yaml:"http-host"`
 	TLSConfig *tlsconfig.TLSConfig `yaml:"tls"`
 	Token     string               `yaml:"token"`
 }
@@ -264,8 +265,9 @@ func (st *Store) verifyAndDecodeSignedRevocationList(signed SignedRevocationList
 	return
 }
 
-func (st *Store) syncRevocations(client *http.Client, syncBaseURL *url.URL, token string) {
-	req, _ := http.NewRequest("GET", syncBaseURL.JoinPath("revocations").String(), nil)
+func (st *Store) syncRevocations(client *http.Client, baseURL *url.URL, host, token string) {
+	req, _ := http.NewRequest("GET", baseURL.JoinPath("revocations").String(), nil)
+	req.Host = host
 	req.Header.Set("Authorization", "Bearer "+token)
 	resp, err := client.Do(req)
 	if err != nil {
@@ -301,11 +303,11 @@ func (st *Store) syncRevocations(client *http.Client, syncBaseURL *url.URL, toke
 	}
 }
 
-func (st *Store) runSync(interval time.Duration, syncBaseURL *url.URL, tlsConfig *tls.Config, token string) {
+func (st *Store) runSync(interval time.Duration, baseURL *url.URL, host string, tlsConfig *tls.Config, token string) {
 	client := &http.Client{}
-	switch syncBaseURL.Scheme {
+	switch baseURL.Scheme {
 	case "http":
-		st.infoLog.Printf("sync-store: using insecure url for sync: %s", syncBaseURL.String())
+		st.infoLog.Printf("sync-store: using insecure url for sync: %s", baseURL.String())
 	case "https":
 		if tlsConfig != nil {
 			client.Transport = &http.Transport{TLSClientConfig: tlsConfig}
@@ -322,7 +324,7 @@ func (st *Store) runSync(interval time.Duration, syncBaseURL *url.URL, tlsConfig
 			st.infoLog.Printf("cookie-store: stopping sync because ticker-channel is closed")
 			return
 		}
-		st.syncRevocations(client, syncBaseURL, token)
+		st.syncRevocations(client, baseURL, host, token)
 	}
 }
 
@@ -371,7 +373,7 @@ func (st *Store) initBackend(conf *Config) (err error) {
 
 	go st.runGC(conf.Backend.GCInterval)
 	if conf.Backend.Sync != nil {
-		go st.runSync(conf.Backend.Sync.Interval, syncBaseURL, syncTLSConfig, conf.Backend.Sync.Token)
+		go st.runSync(conf.Backend.Sync.Interval, syncBaseURL, conf.Backend.Sync.HTTPHost, syncTLSConfig, conf.Backend.Sync.Token)
 	}
 	return
 }