From c16eb91e0095a3d0db265167e1867443919456e3 Mon Sep 17 00:00:00 2001 From: Andrew LeFevre Date: Fri, 1 Nov 2024 19:43:10 -0400 Subject: [PATCH] fix app access regression when the app is on a leaf cluster (#47778) * only redirect to the public addr of an app when an app redirect is required * rename local variable from 'host' to 'addr' * rename param --- lib/web/app/handler.go | 9 ++++++--- lib/web/app/middleware.go | 6 +----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/lib/web/app/handler.go b/lib/web/app/handler.go index 4e34c3be4ba4f..86dd17daeba50 100644 --- a/lib/web/app/handler.go +++ b/lib/web/app/handler.go @@ -622,11 +622,14 @@ const ( // // The URL's are formed this way to help isolate the path params reserved for the app // launchers route, where order and existence of previous params matter for this route. -func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req launcherURLParams) string { +func makeAppRedirectURL(r *http.Request, proxyPublicAddr, addr string, req launcherURLParams) string { + if req.requiresAppRedirect { + addr = req.publicAddr + } u := url.URL{ Scheme: "https", Host: proxyPublicAddr, - Path: fmt.Sprintf("/web/launch/%s", hostname), + Path: fmt.Sprintf("/web/launch/%s", addr), } // Presence of a stateToken means we are beginning an app auth exchange. @@ -639,7 +642,7 @@ func makeAppRedirectURL(r *http.Request, proxyPublicAddr, hostname string, req l v.Add("required-apps", req.requiredAppFQDNs) u.RawQuery = v.Encode() - urlPath := []string{"web", "launch", hostname} + urlPath := []string{"web", "launch", addr} // The order and existence of previous params matter. // diff --git a/lib/web/app/middleware.go b/lib/web/app/middleware.go index 79e1586ff2afa..67b189de3a600 100644 --- a/lib/web/app/middleware.go +++ b/lib/web/app/middleware.go @@ -81,12 +81,8 @@ func (h *Handler) redirectToLauncher(w http.ResponseWriter, r *http.Request, p l "https://goteleport.com/docs/application-access/guides/connecting-apps/#start-authproxy-service.") return trace.BadParameter("public address of the proxy is not set") } - host := p.publicAddr - if host == "" { - host = r.Host - } - addr, err := utils.ParseAddr(host) + addr, err := utils.ParseAddr(r.Host) if err != nil { return trace.Wrap(err) }