diff options
| author | Damien Neil <dneil@google.com> | 2022-05-19 13:20:21 -0700 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2022-08-12 16:38:28 +0000 |
| commit | 1513e57b704056b794f0706362fa3c949f2972a4 (patch) | |
| tree | 562c8d6053ca009a4705f3564b3023e8f2292129 /src/net/http/httputil/reverseproxy.go | |
| parent | 2cf49a76b674ee5075f3ed6ff857c5b3e7a8109a (diff) | |
| download | go-1513e57b704056b794f0706362fa3c949f2972a4.tar.xz | |
net/http/httputil: add X-Forwarded-{Host,Proto} headers in ReverseProxy
X-Forwarded-Host contains the original request's host.
X-Forwarded-Proto contains "http" or "https", depending on whether the
original request was made on a TLS-secured connection.
Setting either header to nil in Director disables adding the header,
same as for X-Forwarded-For.
Fixes #50465.
Change-Id: If8ed1f48d83f8ea0389c53519bc7994cb53891db
Reviewed-on: https://go-review.googlesource.com/c/go/+/407414
Reviewed-by: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat (limited to 'src/net/http/httputil/reverseproxy.go')
| -rw-r--r-- | src/net/http/httputil/reverseproxy.go | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go index b5d3ce7110..a5a3900fb3 100644 --- a/src/net/http/httputil/reverseproxy.go +++ b/src/net/http/httputil/reverseproxy.go @@ -28,14 +28,18 @@ import ( // sends it to another server, proxying the response back to the // client. // -// ReverseProxy by default sets the client IP as the value of the -// X-Forwarded-For header. +// ReverseProxy by default sets +// - the X-Forwarded-For header to the client IP address; +// - the X-Forwarded-Host header to the host of the original client +// request; and +// - the X-Forwarded-Proto header to "https" if the client request +// was made on a TLS-enabled connection or "http" otherwise. // // If an X-Forwarded-For header already exists, the client IP is -// appended to the existing values. As a special case, if the header -// exists in the Request.Header map but has a nil value (such as when -// set by the Director func), the X-Forwarded-For header is -// not modified. +// appended to the existing values. +// +// If a header exists in the Request.Header map but has a nil value +// (such as when set by the Director func), it is not modified. // // To prevent IP spoofing, be sure to delete any pre-existing // X-Forwarded-For header coming from the client or @@ -306,6 +310,16 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { outreq.Header.Set("X-Forwarded-For", clientIP) } } + if prior, ok := outreq.Header["X-Forwarded-Host"]; !(ok && prior == nil) { + outreq.Header.Set("X-Forwarded-Host", req.Host) + } + if prior, ok := outreq.Header["X-Forwarded-Proto"]; !(ok && prior == nil) { + if req.TLS == nil { + outreq.Header.Set("X-Forwarded-Proto", "http") + } else { + outreq.Header.Set("X-Forwarded-Proto", "https") + } + } res, err := transport.RoundTrip(outreq) if err != nil { |