only redirect to the public addr of an app when an app redirect is re…

…quired
gravitational · Nov 1, 2024 · d0d79b7 · d0d79b7
1 parent 264d70c
commit d0d79b7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 7 deletions.
diff --git a/lib/web/app/handler.go b/lib/web/app/handler.go
@@ -618,10 +618,14 @@ const (
 // The URL's are formed this way to help isolate the path params reserved for the app
 // launchers route, where order and existence of previous params matter for this route.
 func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req launcherURLParams) string {
+	host := hostname
+	if req.requiresAppRedirect {
+		host = req.publicAddr
+	}
 	u := url.URL{
 		Scheme: "https",
 		Host:   proxyPublicAddr,
-		Path:   fmt.Sprintf("/web/launch/%s", hostname),
+		Path:   fmt.Sprintf("/web/launch/%s", host),
 	}
 
 	// Presence of a stateToken means we are beginning an app auth exchange.
@@ -634,7 +638,7 @@ func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req l
 		v.Add("required-apps", req.requiredAppFQDNs)
 		u.RawQuery = v.Encode()
 
-		urlPath := []string{"web", "launch", hostname}
+		urlPath := []string{"web", "launch", host}
 
 		// The order and existence of previous params matter.
 		//

diff --git a/lib/web/app/middleware.go b/lib/web/app/middleware.go
@@ -81,12 +81,8 @@ func (h *Handler) redirectToLauncher(w http.ResponseWriter, r *http.Request, p l
 			"https://goteleport.com/docs/application-access/guides/connecting-apps/#start-authproxy-service.")
 		return trace.BadParameter("public address of the proxy is not set")
 	}
-	host := p.publicAddr
-	if host == "" {
-		host = r.Host
-	}
 
-	addr, err := utils.ParseAddr(host)
+	addr, err := utils.ParseAddr(r.Host)
 	if err != nil {
 		return trace.Wrap(err)
 	}