jetty · joakime · Sep 9, 2020 · Sep 2, 2020 · Sep 2, 2020 · Sep 8, 2020
diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java
@@ -598,16 +598,18 @@ public void handleSslSessionId(HttpField field)
         @SuppressWarnings("unused")
         public void handleHost(HttpField field)
         {
+            HostPort hostField = new HostPort(getLeftMost(field.getValue()));
+
             if (getForwardedPortAsAuthority() && !StringUtil.isEmpty(getForwardedPortHeader()))
             {
                 if (_host == null)
-                    _host = new PossiblyPartialHostPort(getLeftMost(field.getValue()));
+                    _host = new PossiblyPartialHostPort(hostField.getHost(), hostField.getPort());
                 else if (_host instanceof PortSetHostPort)
-                    _host = new HostPort(HostPort.normalizeHost(getLeftMost(field.getValue())), _host.getPort());
+                    _host = new HostPort(hostField.getHost(), hostField.getPort() > 0 ? hostField.getPort() : _host.getPort());
             }
             else if (_host == null)
             {
-                _host = new HostPort(getLeftMost(field.getValue()));
+                _host = hostField;
             }
         }
 

diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java
@@ -497,7 +497,67 @@ public static Stream<Arguments> cases()
                     .requestURL("http://fw.example.com:4333/")
                     .remoteAddr("8.5.4.3").remotePort(2222)
             ),
-
+            Arguments.of(new Request("X-Forwarded-* (Multiple Ports)")
+                    .headers(
+                        "GET / HTTP/1.1",
+                        "Host: myhost:10001",
+                        "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999",
+                        "X-Forwarded-Port: 10002",
+                        "X-Forwarded-Proto: https",
+                        "X-Forwarded-Host: sub1.example.com:10003",
+                        "X-Forwarded-Server: sub2.example.com"
+                    ),
+                new Expectations()
+                    .scheme("https").serverName("sub1.example.com").serverPort(10003)
+                    .requestURL("https://sub1.example.com:10003/")
+                    .remoteAddr("127.0.0.1").remotePort(8888)
+            ),
+            Arguments.of(new Request("X-Forwarded-* (Multiple Ports - Server First)")
+                    .headers(
+                        "GET / HTTP/1.1",
+                        "X-Forwarded-Server: sub2.example.com:10007",
+                        "Host: myhost:10001",
+                        "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999",
+                        "X-Forwarded-Proto: https",
+                        "X-Forwarded-Port: 10002",
+                        "X-Forwarded-Host: sub1.example.com:10003"
+                    ),
+                new Expectations()
+                    .scheme("https").serverName("sub1.example.com").serverPort(10003)
+                    .requestURL("https://sub1.example.com:10003/")
+                    .remoteAddr("127.0.0.1").remotePort(8888)
+            ),
+            Arguments.of(new Request("X-Forwarded-* (Multiple Ports - setForwardedPortAsAuthority = false)")
+                    .configureCustomizer((customizer) -> customizer.setForwardedPortAsAuthority(false))
+                    .headers(
+                        "GET / HTTP/1.1",
+                        "Host: myhost:10001",
+                        "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999",
+                        "X-Forwarded-Port: 10002",
+                        "X-Forwarded-Proto: https",
+                        "X-Forwarded-Host: sub1.example.com:10003",
+                        "X-Forwarded-Server: sub2.example.com"
+                    ),
+                new Expectations()
+                    .scheme("https").serverName("sub1.example.com").serverPort(10003)
+                    .requestURL("https://sub1.example.com:10003/")
+                    .remoteAddr("127.0.0.1").remotePort(8888)
+            ),
+            Arguments.of(new Request("X-Forwarded-* (Multiple Ports Alt Order)")
+                    .headers(
+                        "GET / HTTP/1.1",
+                        "Host: myhost:10001",
+                        "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999",
+                        "X-Forwarded-Proto: https",
+                        "X-Forwarded-Host: sub1.example.com:10003",
+                        "X-Forwarded-Port: 10002",
+                        "X-Forwarded-Server: sub2.example.com"
+                    ),
+                new Expectations()
+                    .scheme("https").serverName("sub1.example.com").serverPort(10003)
+                    .requestURL("https://sub1.example.com:10003/")
+                    .remoteAddr("127.0.0.1").remotePort(8888)
+            ),
             // =================================================================
             // Mixed Behavior
             Arguments.of(new Request("RFC7239 mixed with X-Forwarded-* headers")
@@ -585,7 +645,6 @@ public static Stream<Arguments> cases()
 
     @ParameterizedTest(name = "{0}")
     @MethodSource("cases")
-    @SuppressWarnings("unused")
     public void testDefaultBehavior(Request request, Expectations expectations) throws Exception
     {
         request.configure(customizer);
@@ -601,7 +660,6 @@ public void testDefaultBehavior(Request request, Expectations expectations) thro
 
     @ParameterizedTest(name = "{0}")
     @MethodSource("cases")
-    @SuppressWarnings("unused")
     public void testConfiguredBehavior(Request request, Expectations expectations) throws Exception
     {
         request.configure(customizerConfigured);