https://bz.apache.org/bugzilla/show_bug.cgi?id=63799
Bug ID: 63799
Summary: X-Forwarded-Host is a concatenated list instead of
containing one host
Product: Apache httpd-2
Version: 2.4.41
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Hi,
Apache httpd version 2.4.41
I found a strange behavior
when Apache is behind another proxy that has set X-Forwarded-Host already.
and the request goes through proxypass
X-Forwarded-Host got Host appended
instead of keeping original if exists
https://github.com/apache/httpd/blob/trunk/modules/proxy/proxy_util.c#L3839
Looks like someone has mix X-Forwarded-For (a list) with X-Forwarded-Host (only
one Host)
Way to reproduce :
```
FROM httpd:latest
RUN echo "\
LoadModule proxy_module modules/mod_proxy.so \n\
LoadModule proxy_http_module modules/mod_proxy_http.so \n\
<VirtualHost *> \n\
ProxyRequests Off \n\
ProxyPreserveHost Off \n\
ProxyPass /bar http://foo.intranet/bar \n\
</VirtualHost>" >> conf/httpd.conf
```
docker build . --tag foo
docker run -ti -p 3080:80 foo
curl -v -H 'X-Forwarded-Host: foo.bar' localhost:3080/bar
The header that foo.intranet gonna get will be:
`X-Forwarded-Host: foo.bar, localhost`
The proper behavior should be keep original (or replace if specified),
but do not concatenate - header do not match RFC then.
best regards
Wojciech
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
