-
Notifications
You must be signed in to change notification settings - Fork 60
Expand file tree
/
Copy pathproxies.js
More file actions
185 lines (160 loc) · 5.34 KB
/
Copy pathproxies.js
File metadata and controls
185 lines (160 loc) · 5.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
/** @import { Logger, Options, OnProxyEvent } from "http-proxy-middleware/dist/types.js" */
import { serverConfig } from "./serverConfig.js";
/** @type Logger */
const logger = serverConfig.DEBUG
? console
: {
info() {},
warn: console.warn,
error: console.error,
};
/**
* Server-side safety net: redirect the browser back to "/" if a non-JSON
* request receives a 401/Unauthorized response from the hub.
*
* Note: With Hub OIDC + react-oidc-context, client-side session management
* handles token expiry and re-authentication automatically. This handler
* remains as a fallback for non-AJAX requests (e.g. direct browser navigation
* to /hub/...) that would otherwise display a bare 401 response.
*
* @type OnProxyEvent["proxyRes"]
*/
const redirectIfUnauthorized = (proxyRes, req, res) => {
if (
!req.headers.accept?.includes("application/json") &&
(proxyRes.statusCode === 401 || proxyRes.statusMessage === "Unauthorized")
) {
res.writeHead(302, { Location: "/" }).end();
proxyRes?.destroy();
}
};
/**
* Set the RFC 7239 `Forwarded` header on the proxied request, but only when an
* upstream proxy has not already set one. This covers three deployment
* scenarios:
*
* 1. Dev (direct access) — no upstream proxy; no forwarded headers arrive.
* We derive `for`, `host`, and `proto` from the socket/request directly.
*
* 2. Vanilla K8s (e.g. minikube + ingress-nginx) — the ingress controller
* sets `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Forwarded-Host`
* before the request reaches the pod, but does not set `Forwarded`. We
* synthesize the RFC 7239 header from those legacy values so Hub gets a
* standard header that reflects the real client context.
*
* 3. OpenShift — HAProxy at the edge injects a `Forwarded` header itself.
* We leave it untouched (this avoids the duplicate-header problem that
* previously broke Keycloak on OpenShift).
*
* Notes:
* - IPv6 addresses in the `for=` token are bracketed and quoted per
* RFC 7239 §6.
* - `req.socket.encrypted` is used instead of `req.protocol` for the protocol
* fallback, because `req.protocol` in Express reflects the internal pod
* connection (always `http` inside Kubernetes), not the external protocol.
*
* @type OnProxyEvent["proxyReq"]
*/
const setForwardedHeader = (proxyReq, req, _res) => {
if (req.headers["forwarded"]) return;
const parts = [];
const clientIp =
String(req.headers["x-forwarded-for"] ?? "")
.split(",")[0]
.trim() || req.socket.remoteAddress;
if (clientIp) {
const forValue = clientIp.includes(":") ? `"[${clientIp}]"` : clientIp;
parts.push(`for=${forValue}`);
}
const host = req.headers["x-forwarded-host"] ?? req.headers.host;
if (host) {
parts.push(`host="${host}"`);
}
const proto =
String(req.headers["x-forwarded-proto"] ?? "")
.split(",")[0]
.trim() || (req.socket.encrypted ? "https" : "http");
parts.push(`proto=${proto}`);
proxyReq.setHeader("Forwarded", parts.join(";"));
};
/** @type Record<string, Options> */
export default {
devServer: {
pathFilter: "/",
target: "http://localhost:9001",
logger,
},
auth: {
pathFilter: "/auth",
target: serverConfig.KEYCLOAK_SERVER_URL || "http://localhost:9004",
logger,
changeOrigin: true,
on: {
proxyReq(proxyReq, req, _res) {
// Keycloak needs these header set so we can function in Kubernetes (non-OpenShift)
// https://www.keycloak.org/server/reverseproxy
//
// Note, on OpenShift, this works as the haproxy implementation
// for the OpenShift route is setting these for us automatically
//
// We saw problems with including the below broke the OpenShift route
// {"X-Forwarded-Proto", req.protocol} broke the OpenShift
// {"X-Forwarded-Port", req.socket.localPort}
// {"Forwarded", `for=${req.socket.remoteAddress};proto=${req.protocol};host=${req.headers.host}`}
// so we are not including even though they are customary
//
req.socket.remoteAddress &&
proxyReq.setHeader("X-Forwarded-For", req.socket.remoteAddress);
req.socket.remoteAddress &&
proxyReq.setHeader("X-Real-IP", req.socket.remoteAddress);
req.headers.host &&
proxyReq.setHeader("X-Forwarded-Host", req.headers.host);
},
},
},
oidc: {
pathFilter: "/oidc",
target: serverConfig.TACKLE_HUB_URL || "http://localhost:9002",
logger,
changeOrigin: true,
on: {
proxyReq: setForwardedHeader,
},
},
hub: {
pathFilter: "/hub",
target: serverConfig.TACKLE_HUB_URL || "http://localhost:9002",
logger,
changeOrigin: true,
pathRewrite: {
"^/hub": "",
},
on: {
proxyReq: setForwardedHeader,
proxyRes: redirectIfUnauthorized,
},
},
kai: {
pathFilter: "/kai",
target: serverConfig.TACKLE_HUB_URL || "http://localhost:9002",
logger,
changeOrigin: true,
pathRewrite: {
"^/kai": "/services/kai",
},
on: {
proxyReq: setForwardedHeader,
proxyRes: redirectIfUnauthorized,
},
},
kaiLLMProxy: {
pathFilter: "/llm-proxy",
target: serverConfig.KAI_LLM_PROXY_URL || "http://localhost:9003",
logger,
changeOrigin: true,
pathRewrite: {
"^/llm-proxy": "",
},
on: {},
},
};