diff options
| author | Damien Neil <dneil@google.com> | 2022-12-14 09:55:06 -0800 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2022-12-21 18:56:32 +0000 |
| commit | 458241f981e0a8e1d9e0b2f6ae53be62f00001d2 (patch) | |
| tree | 4a221262fae64f68e54d57f1247db5d5fc448120 /src/net/http/httputil/reverseproxy.go | |
| parent | 58f6022eee95f43b4e0dc640b012bb3f574898f1 (diff) | |
| download | go-458241f981e0a8e1d9e0b2f6ae53be62f00001d2.tar.xz | |
net/http/httputil: don't add X-Forwarded-{Host,Proto} after invoking Director funcs
This reverts CL 407414.
When forwarding an inbound request that contains an existing
X-Forwarded-Host or X-Forwarded-Proto header, a proxy might want
to preserve the header from the inbound request, replace it with
its own header, or not include any header at all.
CL 407414 replaces inbound X-Forwarded-{Host,Proto} headers by default,
and allows a Director func to disable sending these headers at all.
However, the Director hook API isn't sufficiently flexible to permit the
previous behavior of preserving inbound values unchanged.
The new Rewrite API does have this flexibility; users of Rewrite can
easily pick the exact behavior they want.
Revert the change to ReverseProxy when using a Director func.
Users who want a convenient way to set X-Forwarded-* headers to
reasonable values can migrate to Rewrite at their convenience,
and users depending on the current behavior will be unaffected.
For #50465.
Fixes #57132.
Change-Id: Ic42449c1bb525d6c9920bf721efbc519697f4f20
Reviewed-on: https://go-review.googlesource.com/c/go/+/457595
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Diffstat (limited to 'src/net/http/httputil/reverseproxy.go')
| -rw-r--r-- | src/net/http/httputil/reverseproxy.go | 30 |
1 files changed, 10 insertions, 20 deletions
diff --git a/src/net/http/httputil/reverseproxy.go b/src/net/http/httputil/reverseproxy.go index 190279ca00..58064a5332 100644 --- a/src/net/http/httputil/reverseproxy.go +++ b/src/net/http/httputil/reverseproxy.go @@ -131,17 +131,17 @@ type ReverseProxy struct { // Director must not access the provided Request // after returning. // - // By default, the X-Forwarded-For, X-Forwarded-Host, and - // X-Forwarded-Proto headers of the ourgoing request are - // set as by the ProxyRequest.SetXForwarded function. + // By default, the X-Forwarded-For header is set to the + // value of the client IP address. If an X-Forwarded-For + // header already exists, the client IP is appended to the + // existing values. As a special case, if the header + // exists in the Request.Header map but has a nil value + // (such as when set by the Director func), the X-Forwarded-For + // header is not modified. // - // If an X-Forwarded-For header already exists, the client IP is - // appended to the existing values. To prevent IP spoofing, be - // sure to delete any pre-existing X-Forwarded-For header - // coming from the client or an untrusted proxy. - // - // If a header exists in the Request.Header map but has a nil value - // (such as when set by the Director func), it is not modified. + // To prevent IP spoofing, be sure to delete any pre-existing + // X-Forwarded-For header coming from the client or + // an untrusted proxy. // // Hop-by-hop headers are removed from the request after // Director returns, which can remove headers added by @@ -446,16 +446,6 @@ func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { outreq.Header.Set("X-Forwarded-For", clientIP) } } - if prior, ok := outreq.Header["X-Forwarded-Host"]; !(ok && prior == nil) { - outreq.Header.Set("X-Forwarded-Host", req.Host) - } - if prior, ok := outreq.Header["X-Forwarded-Proto"]; !(ok && prior == nil) { - if req.TLS == nil { - outreq.Header.Set("X-Forwarded-Proto", "http") - } else { - outreq.Header.Set("X-Forwarded-Proto", "https") - } - } } if _, ok := outreq.Header["User-Agent"]; !ok { |