TUN-2850: Tunnel stripping Cloudflare headers

2020-03-30 22:51:48 +01:00 · 2020-03-30 22:51:48 +01:00 · 0b2b6c8e12
parent acea15161c
commit 0b2b6c8e12
1 changed files with 16 additions and 15 deletions
--- a/h2mux/header.go
+++ b/h2mux/header.go
@ -28,6 +28,10 @@ const (
 // HTTP/1 equivalents. See https://tools.ietf.org/html/rfc7540#section-8.1.2.3
 func H2RequestHeadersToH1Request(h2 []Header, h1 *http.Request) error {
 	for _, header := range h2 {
+		if !IsControlHeader(header.Name) {
+			continue
+		}
+
 		switch strings.ToLower(header.Name) {
 		case ":method":
 			h1.Method = header.Value
@ -72,25 +76,22 @@ func H2RequestHeadersToH1Request(h2 []Header, h1 *http.Request) error {
 				return fmt.Errorf("unparseable content length")
 			}
 			h1.ContentLength = contentLength
-		case "connection", "upgrade":
-			// for websocket header support
-			h1.Header.Add(http.CanonicalHeaderKey(header.Name), header.Value)
+		case RequestUserHeadersField:
+			// Do not forward the serialized headers to the origin -- deserialize them, and ditch the serialized version
+			// Find and parse user headers serialized into a single one
+			userHeaders, err := ParseUserHeaders(RequestUserHeadersField, h2)
+			if err != nil {
+				return errors.Wrap(err, "Unable to parse user headers")
+			}
+			for _, userHeader := range userHeaders {
+				h1.Header.Add(http.CanonicalHeaderKey(userHeader.Name), userHeader.Value)
+			}
 		default:
-			// Ignore any other header;
-			// User headers will be read from `RequestUserHeadersField`
-			continue
+			// All other control headers shall just be proxied transparently
+			h1.Header.Add(http.CanonicalHeaderKey(header.Name), header.Value)
 		}
 	}

-	// Find and parse user headers serialized into a single one
-	userHeaders, err := ParseUserHeaders(RequestUserHeadersField, h2)
-	if err != nil {
-		return errors.Wrap(err, "Unable to parse user headers")
-	}
-	for _, userHeader := range userHeaders {
-		h1.Header.Add(http.CanonicalHeaderKey(userHeader.Name), userHeader.Value)
-	}
-
 	return nil
 }