On 06/20/2018 12:23 PM, Dilyan Palauzov wrote:
Hello,I want to run cyrus-httpd behind proxy, making it to listen to 127.0.0.3:80. It then sends on /freebusy/user/me URL: http://127.0.0.3/freebusy/user/me , which I don't want. If I tweak the front-end, nginx, to rewrite 127.0.0.3 -> my hostname, Nginx is smart enogh and removes the ETags sent by cyrus/httpd, so this approach does not work.Then I decided to insert "Forwarded: host=my host; proto=https" header, however imap/http_proxy.c:http_proto_host handles the Forwarded header onlyif (config_mupdate_server && config_getstring(IMAPOPT_PROXYSERVERS) &&(fwd = spool_getheader(req_hdrs, "Forwarded"))) {/* Proxied request - parse last Forwarded header for proto and host */What is the rationale behind interpreting Forwarded only when mupdate_server and proxyservers are set?
I don't recall if I had any specific reason in mind when I added that check. The downside of removing the check is that a client can do as you plan to and can cause the server to change URLs in replies. I'm not a security expert, but this seems like something we don't allow a client to do.
I know that we (FastMail) run Cyrus behind nginx and this hasn't become an issue, unless our ops guys have patched Cyrus or found a different way to handle this in Nginx. Bron may know, once he wakes up.
-- Ken Murchison Cyrus Development Team FastMail US LLC
<<attachment: murch.vcf>>
