From d0d79b75e755123eeef4bf3efb7be4dd0e0d7cd8 Mon Sep 17 00:00:00 2001 From: Andrew LeFevre Date: Fri, 1 Nov 2024 10:35:14 -0400 Subject: [PATCH 1/3] only redirect to the public addr of an app when an app redirect is required --- lib/web/app/handler.go | 8 ++++++-- lib/web/app/middleware.go | 6 +----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/web/app/handler.go b/lib/web/app/handler.go index 38de429b9c842..e81f686042b81 100644 --- a/lib/web/app/handler.go +++ b/lib/web/app/handler.go @@ -618,10 +618,14 @@ const ( // The URL's are formed this way to help isolate the path params reserved for the app // launchers route, where order and existence of previous params matter for this route. func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req launcherURLParams) string { + host := hostname + if req.requiresAppRedirect { + host = req.publicAddr + } u := url.URL{ Scheme: "https", Host: proxyPublicAddr, - Path: fmt.Sprintf("/web/launch/%s", hostname), + Path: fmt.Sprintf("/web/launch/%s", host), } // Presence of a stateToken means we are beginning an app auth exchange. @@ -634,7 +638,7 @@ func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req l v.Add("required-apps", req.requiredAppFQDNs) u.RawQuery = v.Encode() - urlPath := []string{"web", "launch", hostname} + urlPath := []string{"web", "launch", host} // The order and existence of previous params matter. // diff --git a/lib/web/app/middleware.go b/lib/web/app/middleware.go index 79e1586ff2afa..67b189de3a600 100644 --- a/lib/web/app/middleware.go +++ b/lib/web/app/middleware.go @@ -81,12 +81,8 @@ func (h *Handler) redirectToLauncher(w http.ResponseWriter, r *http.Request, p l "https://goteleport.com/docs/application-access/guides/connecting-apps/#start-authproxy-service.") return trace.BadParameter("public address of the proxy is not set") } - host := p.publicAddr - if host == "" { - host = r.Host - } - addr, err := utils.ParseAddr(host) + addr, err := utils.ParseAddr(r.Host) if err != nil { return trace.Wrap(err) } From 722e81c4c1d2770b2548c24535a21ea0798e6e2c Mon Sep 17 00:00:00 2001 From: Andrew LeFevre Date: Fri, 1 Nov 2024 16:11:31 -0400 Subject: [PATCH 2/3] rename local variable from 'host' to 'addr' --- lib/web/app/handler.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/web/app/handler.go b/lib/web/app/handler.go index e81f686042b81..aaa0f1f195ac9 100644 --- a/lib/web/app/handler.go +++ b/lib/web/app/handler.go @@ -618,14 +618,14 @@ const ( // The URL's are formed this way to help isolate the path params reserved for the app // launchers route, where order and existence of previous params matter for this route. func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req launcherURLParams) string { - host := hostname + addr := hostname if req.requiresAppRedirect { - host = req.publicAddr + addr = req.publicAddr } u := url.URL{ Scheme: "https", Host: proxyPublicAddr, - Path: fmt.Sprintf("/web/launch/%s", host), + Path: fmt.Sprintf("/web/launch/%s", addr), } // Presence of a stateToken means we are beginning an app auth exchange. @@ -638,7 +638,7 @@ func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req l v.Add("required-apps", req.requiredAppFQDNs) u.RawQuery = v.Encode() - urlPath := []string{"web", "launch", host} + urlPath := []string{"web", "launch", addr} // The order and existence of previous params matter. // From c95e6ac03af92d1919ae4ec1f4393780e255fd0c Mon Sep 17 00:00:00 2001 From: Andrew LeFevre Date: Fri, 1 Nov 2024 16:21:34 -0400 Subject: [PATCH 3/3] rename param --- lib/web/app/handler.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lib/web/app/handler.go b/lib/web/app/handler.go index aaa0f1f195ac9..a23742957136d 100644 --- a/lib/web/app/handler.go +++ b/lib/web/app/handler.go @@ -617,8 +617,7 @@ const ( // // The URL's are formed this way to help isolate the path params reserved for the app // launchers route, where order and existence of previous params matter for this route. -func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req launcherURLParams) string { - addr := hostname +func makeAppRedirectURL(r *http.Request, proxyPublicAddr, addr string, req launcherURLParams) string { if req.requiresAppRedirect { addr = req.publicAddr }