[Django] #33569: Add support for multiple values for the x-forwarded-proto header

Tue, 08 Mar 2022 10:00:38 -0800 

#33569: Add support for multiple values for the x-forwarded-proto header
------------------------------------------------+------------------------
               Reporter:  heyts                 |          Owner:  nobody
                   Type:  Cleanup/optimization  |         Status:  new
              Component:  HTTP handling         |        Version:  dev
               Severity:  Normal                |       Keywords:
           Triage Stage:  Unreviewed            |      Has patch:  0
    Needs documentation:  0                     |    Needs tests:  0
Patch needs improvement:  0                     |  Easy pickings:  0
                  UI/UX:  0                     |
------------------------------------------------+------------------------
 When Django is deployed behind more than one proxy, the proxy behavior is
 sometimes to list the protocol as a comma-separated list.

 However, currently, Django expects only one value for the `x-forwarded-
 proto` header, instead of parsing it as a list of values and setting the
 protocol accordingly.

 `x-forwarded-proto` is a non-standard header, so there isn't a
 specification for its use, but different reverse-proxy vendors do use it
 in different ways, and some append the protocol as a comma-separated value
 from left-to-right (left being the furthermost proxy and rightmost being
 the closest).

 Similar issues have been raised and implemented in other projects, for
 example:

 Tornado:
 * Issue: https://github.com/tornadoweb/tornado/issues/2161
 * Implementation:
 
https://github.com/tornadoweb/tornado/blob/00c9e0ae31a5a0d12e09109fb77ffe391bfe1131/tornado/httpserver.py#L347-L350

 Ruby:
 * Issue: https://bugs.ruby-lang.org/issues/10789
 * Implemenation:
 
https://github.com/ruby/ruby/blob/d92f09a5eea009fa28cd046e9d0eb698e3d94c5c/tool/lib/webrick/httprequest.rb#L614-L616

 Reactor-Netty:
 * https://github.com/reactor/reactor-netty/issues/976
 * Implementation: https://github.com/reactor/reactor-
 netty/commit/e190d5bbf65d88d3a0240cd60b81e1ee1907030e

 Most implementation use the leftmost-value or rightmost value. I would
 expect that provided that you are certain that the initial proxy can be
 trusted, that the left-most value makes the most sense, since it represent
 the original value at the entry-point for the HTTP request which is often
 where TLS is being terminated.

 Common example of this behavior is when using mulitple AWS proxies such as
 API Gateway proxying to an elastic load balancer.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33569>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/0107017f6ab08c14-f8c1ae5d-3112-4d54-b1ae-7ea7cc93f356-000000%40eu-central-1.amazonses.com.

Reply via email to