-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't override Host when forward-proxying - effectively preserving the transparent proxy approach #678
Don't override Host when forward-proxying - effectively preserving the transparent proxy approach #678
Conversation
Opinions, anyone? @JorTurFer |
is this correct @t0rr3sp3dr0 ? |
Just making note that this change is covered in the |
Yes, it makes sense that we don't override the Host header on incoming requests. Looking at the entire function, we shouldn't override the Director from httputil.NewSingleHostReverseProxy the way we are doing. We should call the original Director implementation and then make our changes, otherwise we are just using a blank httputil.ReverseProxy and not httputil.NewSingleHostReverseProxy. |
I would do something like this: superDirector := proxy.Director
proxy.Director = func(req *http.Request) {
host := req.URL.Host
superDirector(req)
req.URL.Host = host
// Strip client-provided forwarding headers to prevent IP spoofing.
req.Header.Del("Forwarded")
req.Header.Del("X-Forwarded-For")
req.Header.Del("X-Forwarded-Host")
req.Header.Del("X-Forwarded-Proto")
} For reference: |
7324e29
to
9c7de79
Compare
@t0rr3sp3dr0 how about this? (I omitted the |
Signed-off-by: Or Koren <or.koren@similarweb.com>
9c7de79
to
543c124
Compare
Opinions, anyone? @tomkerkhove @JorTurFer @t0rr3sp3dr0 |
@similark, I’m ok with the changes, but you need to rebase your branch. The file you patched moved to |
Also, update |
Provide a description of what has been changed
This small change solves #331 - when building the forward proxy request, there's no need to override the Host field, which trashes the Host header altogether. The request has the proper value in the URL, making it reach the target svc and still preserving the original Host. This makes it possible to treat the request properly down the road (at the application level)
Checklist
README.md
docs/
directoryFixes #331