ory · jrester · Dec 28, 2022 · Jan 27, 2023 · Mar 18, 2023 · Mar 18, 2023
@@ -5,6 +5,7 @@ package api
 
 import (
 	"net/http"
+	"net/url"
 	"strings"
 
 	"github.com/ory/oathkeeper/pipeline/authn"
@@ -41,13 +42,21 @@ func NewJudgeHandler(r decisionHandlerRegistry) *DecisionHandler {
 
 func (h *DecisionHandler) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 	if len(r.URL.Path) >= len(DecisionPath) && r.URL.Path[:len(DecisionPath)] == DecisionPath {
-		r.Method = x.OrDefaultString(r.Header.Get(xForwardedMethod), r.Method)
-		r.URL.Scheme = x.OrDefaultString(r.Header.Get(xForwardedProto),
-			x.IfThenElseString(r.TLS != nil, "https", "http"))
-		r.URL.Host = x.OrDefaultString(r.Header.Get(xForwardedHost), r.Host)
-		r.URL.Path = x.OrDefaultString(strings.SplitN(r.Header.Get(xForwardedUri), "?", 2)[0], r.URL.Path[len(DecisionPath):])
-
-		h.decisions(w, r)
+		// Copy the request information, instead of modifing the incoming request directly.
+		// This is nevessary because the middleware would otherwise use e.g. the method from "X-Forwarded-Method" for the response
+		// although the original request had another method, which leads to problem with the HEAD method.
+		// For more information see: https://github.com/thomseddon/traefik-forward-auth/issues/156
+		forwardedReq := &http.Request{
+			Method: x.OrDefaultString(r.Header.Get(xForwardedMethod), r.Method),
+			URL: &url.URL{
+				Scheme: x.OrDefaultString(r.Header.Get(xForwardedProto),
+					x.IfThenElseString(r.TLS != nil, "https", "http")),
+				Host: x.OrDefaultString(r.Header.Get(xForwardedHost), r.Host),
+				Path: x.OrDefaultString(strings.SplitN(r.Header.Get(xForwardedUri), "?", 2)[0], r.URL.Path[len(DecisionPath):]),
+			},
+			Header: r.Header,
+		}
+		h.decisions(w, forwardedReq)
 	} else {
 		next(w, r)
 	}

@@ -14,6 +14,7 @@ import (
 	"net/url"
 	"strconv"
 	"testing"
+	"time"
 
 	"github.com/julienschmidt/httprouter"
 	"github.com/stretchr/testify/assert"
@@ -299,6 +300,29 @@ func TestDecisionAPI(t *testing.T) {
 			code:  http.StatusOK,
 			authz: "",
 		},
+		{
+			d:   "HEAD request should not result in an read timeout",
+			url: ts.URL + "/decisions" + "/authn-anon/authz-allow/cred-noop/1234",
+			rulesRegexp: []rule.Rule{{
+				Match:          &rule.Match{Methods: []string{"HEAD"}, URL: ts.URL + "/authn-anon/authz-allow/cred-noop/<[0-9]+>"},
+				Authenticators: []rule.Handler{{Handler: "anonymous"}},
+				Authorizer:     rule.Handler{Handler: "allow"},
+				Mutators:       []rule.Handler{{Handler: "noop"}},
+				Upstream:       rule.Upstream{URL: ""},
+			}},
+			rulesGlob: []rule.Rule{{
+				Match:          &rule.Match{Methods: []string{"HEAD"}, URL: ts.URL + "/authn-anon/authz-allow/cred-noop/<[0-9]*>"},
+				Authenticators: []rule.Handler{{Handler: "anonymous"}},
+				Authorizer:     rule.Handler{Handler: "allow"},
+				Mutators:       []rule.Handler{{Handler: "noop"}},
+				Upstream:       rule.Upstream{URL: ""},
+			}},
+			transform: func(r *http.Request) {
+				r.Header.Add("X-Forwarded-Method", "HEAD")
+			},
+			code:  http.StatusOK,
+			authz: "",
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
 			testFunc := func(strategy configuration.MatchingStrategy) {
@@ -309,7 +333,10 @@ func TestDecisionAPI(t *testing.T) {
 					tc.transform(req)
 				}
 
-				res, err := http.DefaultClient.Do(req)
+				httpClient := http.Client{
+					Timeout: 2 * time.Second,
+				}
+				res, err := httpClient.Do(req)
 				require.NoError(t, err)
 
 				entireBody, err := io.ReadAll(res.Body)