app/vmauth: follow-up for bc90f4aae6

- Allow specifying only a single HTTP header for reading auth tokens via -httpAuthHeader command-line flag.
  This is better from security PoV, since this prevents from accidental reading of auth token from undesired
  HTTP header. By default the -httpAuthHeader equals to Authorization. When it is overridden, then
  auth token isn't read from Authorization header - it is read only from the specified header.

- Document the -httpAuthHeader command-line flag at https://docs.victoriametrics.com/vmauth/#reading-auth-tokens-from-other-http-headers

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/pull/6009

app/vmauth/auth_config.go

@@ -43,6 +43,7 @@ var (
 		"This may be useful when url_prefix points to a hostname with dynamically scaled instances behind it. See https://docs.victoriametrics.com/vmauth.html#discovering-backend-ips")
 	discoverBackendIPsInterval = flag.Duration("discoverBackendIPsInterval", 10*time.Second, "The interval for re-discovering backend IPs if -discoverBackendIPs command-line flag is set. "+
 		"Too low value may lead to DNS errors")
+	httpAuthHeader = flag.String("httpAuthHeader", "Authorization", "HTTP request header to use for obtaining authorization tokens")
 )
 
 // AuthConfig represents auth config.
@@ -912,17 +913,15 @@ func getAuthTokensFromRequest(r *http.Request) []string {
 	var ats []string
 
 	// Obtain possible auth tokens from one of allowed auth headers
-	for _, headerName := range authHeaders {
-		if ah := r.Header.Get(headerName); ah != "" {
-			if strings.HasPrefix(ah, "Token ") {
-				// Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication
-				// See https://docs.influxdata.com/influxdb/v2.0/api/
-				ah = strings.Replace(ah, "Token", "Bearer", 1)
-			}
-			at := "http_auth:" + ah
-			ats = append(ats, at)
-			break
+	headerName := *httpAuthHeader
+	if ah := r.Header.Get(headerName); ah != "" {
+		if headerName == "Authorization" && strings.HasPrefix(ah, "Token ") {
+			// Handle InfluxDB's proprietary token authentication scheme as a bearer token authentication
+			// See https://docs.influxdata.com/influxdb/v2.0/api/
+			ah = strings.Replace(ah, "Token", "Bearer", 1)
 		}
+		at := "http_auth:" + ah
+		ats = append(ats, at)
 	}
 
 	return ats

app/vmauth/main.go

@@ -56,8 +56,6 @@ var (
 		"See https://docs.victoriametrics.com/vmauth.html#backend-tls-setup")
 	backendTLSCAFile = flag.String("backend.TLSCAFile", "", "Optional path to TLS root CA file, which is used for TLS verification when connecting to backends over HTTPS. "+
 		"See https://docs.victoriametrics.com/vmauth.html#backend-tls-setup")
-	extraAuthHeaders = flagutil.NewArrayString("extraAuthHeader", "extra to Authorization auth header names")
-	authHeaders      = []string{"Authorization"}
 )
 
 func main() {
@@ -72,7 +70,6 @@ func main() {
 	if len(listenAddrs) == 0 {
 		listenAddrs = []string{":8427"}
 	}
-	authHeaders = append(authHeaders, (*extraAuthHeaders)...)
 	logger.Infof("starting vmauth at %q...", listenAddrs)
 	startTime := time.Now()
 	initAuthConfig()

docs/CHANGELOG.md

@@ -38,7 +38,7 @@ See also [LTS releases](https://docs.victoriametrics.com/lts-releases/).
 * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow discovering ip addresses for backend instances hidden behind a shared hostname, via `discover_backend_ips: true` option. This allows evenly spreading load among backend instances. See [these docs](https://docs.victoriametrics.com/vmauth/#discovering-backend-ips) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5707).
 * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP [query args](https://en.wikipedia.org/wiki/Query_string) via `src_query_args` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends) and [this feature request](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5878).
 * FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): allow routing incoming requests based on HTTP request headers via `src_headers` option at `url_map`. See [these docs](https://docs.victoriametrics.com/vmauth/#generic-http-proxy-for-different-backends).
-* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): added ability to set extra headers where to expect auth token (additionally to Authorization).
+* FEATURE: [vmauth](https://docs.victoriametrics.com/vmauth/): add ability to read auth tokens from arbitrary HTTP request header. Previously auth tokens were read only from `Authorization` HTTP request header. See [these docs](https://docs.victoriametrics.com/vmauth/#reading-auth-tokens-from-other-http-headers) for details.
 * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): reduce memory usage by up to 5x when aggregating over big number of unique [time series](https://docs.victoriametrics.com/keyconcepts/#time-series). The memory usage reduction is most visible when [stream deduplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) is enabled.
 * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): allow using `-streamAggr.dedupInterval` and `-remoteWrite.streamAggr.dedupInterval` command-line flags without the need to specify `-streamAggr.config` and `-remoteWrite.streamAggr.config`. See [these docs](https://docs.victoriametrics.com/stream-aggregation/#deduplication).
 * FEATURE: [stream aggregation](https://docs.victoriametrics.com/stream-aggregation/): add `-streamAggr.dropInputLabels` command-line flag, which can be used for dropping the listed labels from input samples before applying stream [de-duplication](https://docs.victoriametrics.com/stream-aggregation/#deduplication) and aggregation. This is faster and easier to use alternative to [input_relabel_configs](https://docs.victoriametrics.com/stream-aggregation/#relabeling). See [these docs](https://docs.victoriametrics.com/stream-aggregation/#dropping-unneeded-labels).

docs/vmauth.md

@@ -245,7 +245,6 @@ See [load-balancing docs](#load-balancing) for more details.
 * `-tls` enables accepting TLS connections at `-httpListenAddr`
 * `-tlsKeyFile` sets the path to TLS certificate key file
 * `-tlsCertFile` sets the path to TLS certificate file
-* `-extraAuthHeader` sets alternative headers for auth
 
 ### Basic Auth proxy
 
@@ -633,6 +632,16 @@ users:
 
 See config example of using IP filters [here](https://github.com/VictoriaMetrics/VictoriaMetrics/blob/master/app/vmauth/example_config_ent.yml).
 
+## Reading auth tokens from other HTTP headers
+
+`vmauth` reads `username`, `password` and `bearer_token` [config values](#auth-config) from `Authorization` request header.
+It is possible to read these values from any other request header by specifying it via `-httpAuthHeader` command-line flag.
+For example, the following command instructs `vmauth` to read auth token from `X-Amz-Firehose-Access-Key` header:
+
+```
+./vmauth -httpAuthHeader=X-Amz-Firehose-Access-Key
+```
+
 ## Auth config
 
 `-auth.config` is represented in the following simple `yml` format:
@@ -994,6 +1003,8 @@ See the docs at https://docs.victoriametrics.com/vmauth.html .
      Flag value can be read from the given file when using -httpAuth.password=file:///abs/path/to/file or -httpAuth.password=file://./relative/path/to/file . Flag value can be read from the given http/https url when using -httpAuth.password=http://host/path or -httpAuth.password=https://host/path
   -httpAuth.username string
      Username for HTTP server's Basic Auth. The authentication is disabled if empty. See also -httpAuth.password
+  -httpAuthHeader string
+     HTTP request header to use for obtaining authorization tokens (default "Authorization")
   -httpListenAddr array
      TCP address to listen for incoming http requests. See also -tls and -httpListenAddr.useProxyProtocol
      Supports an array of values separated by comma or specified via multiple flags.