Don't override Host when forward-proxying - effectively preserving the transparent proxy approach #678
Conversation
|
Opinions, anyone? @JorTurFer |
|
is this correct @t0rr3sp3dr0 ? |
|
Just making note that this change is covered in the |
|
Yes, it makes sense that we don't override the Host header on incoming requests. Looking at the entire function, we shouldn't override the Director from httputil.NewSingleHostReverseProxy the way we are doing. We should call the original Director implementation and then make our changes, otherwise we are just using a blank httputil.ReverseProxy and not httputil.NewSingleHostReverseProxy. |
|
I would do something like this: superDirector := proxy.Director
proxy.Director = func(req *http.Request) {
host := req.URL.Host
superDirector(req)
req.URL.Host = host
// Strip client-provided forwarding headers to prevent IP spoofing.
req.Header.Del("Forwarded")
req.Header.Del("X-Forwarded-For")
req.Header.Del("X-Forwarded-Host")
req.Header.Del("X-Forwarded-Proto")
}For reference: |
similark
force-pushed
the
similark/preserve_proxy_host_header
branch
from
7324e29
to
9c7de79
Compare
|
@t0rr3sp3dr0 how about this? (I omitted the |
Signed-off-by: Or Koren <[email protected]>
similark
force-pushed
the
similark/preserve_proxy_host_header
branch
from
9c7de79
to
543c124
Compare
|
Opinions, anyone? @tomkerkhove @JorTurFer @t0rr3sp3dr0 |
|
@similark, I’m ok with the changes, but you need to rebase your branch. The file you patched moved to |
|
Also, update |
Provide a description of what has been changed
This small change solves #331 - when building the forward proxy request, there's no need to override the Host field, which trashes the Host header altogether. The request has the proper value in the URL, making it reach the target svc and still preserving the original Host. This makes it possible to treat the request properly down the road (at the application level)
Checklist
README.mddocs/directoryFixes #331