Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proxy: set header X-Forwarded-Host #1483

Merged
merged 1 commit into from
Nov 23, 2021
Merged

Conversation

nod0n
Copy link
Contributor

@nod0n nod0n commented Nov 9, 2021

Set the X-Forwarded-Host header by default when used as a proxy.

from Mozilla:

The X-Forwarded-Host (XFH) header is a de-facto standard header for identifying the original host requested by the client in the Host HTTP request header.

@puppet-community-rangefinder
Copy link

nginx is a class

that may have no external impact to Forge modules.

This module is declared in 9 of 578 indexed public Puppetfiles.


These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

@root-expert root-expert added the enhancement New feature or request label Nov 9, 2021
Copy link
Member

@root-expert root-expert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me

Copy link
Member

@bastelfreak bastelfreak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still not sure if this is a breaking change / if this adds any security issues for people that miss it. I would like to see a few more comments. @voxpupuli/collaborators and ideas?

@vchepkov
Copy link
Contributor

imho, no security implication. Original Host header already contains this information, this additional header helps generate proper response by servers behind reverse proxies.

@TuningYourCode
Copy link
Contributor

Well, it's already sending the host as Host-header and there are also X-Real-Ip and X-Forwarded-For which could be critical too.
I guess if somebody cares about the fields as he has an untrusted upstream system he most likely already overwrites our default values.
I also think that almost nobody would proxy any requests to an untrusted upstream system anyway. For me no major release needed.

Copy link
Contributor

@baurmatt baurmatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonable :)

@bastelfreak bastelfreak merged commit a4aedf6 into voxpupuli:master Nov 23, 2021
@bastelfreak bastelfreak changed the title proxy set header X-Forwarded-Host proxy: set header X-Forwarded-Host Nov 23, 2021
@nod0n nod0n deleted the proxy_header branch January 20, 2022 06:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants