When "option forwardfor" is enabled in a frontend that uses backends,
"if-none" ignores the header name provided in the frontend.
This prevents haproxy to add the X-Forwarded-For header if the option is not
used in the backend.
This may introduce security issues for servers/applications that rely on the
header provided by haproxy.
A minimal configuration which can reproduce the bug:
defaults
mode http
listen OK
bind :9000
option forwardfor if-none
server s1 127.0.0.1:80
listen BUG-frontend
bind :9001
option forwardfor if-none
default_backend BUG-backend
backend BUG-backend
server s1 127.0.0.1:80
---
src/proto_http.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/proto_http.c b/src/proto_http.c
index 7cf413d..b41b70a 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3249,9 +3249,10 @@ int http_process_request(struct session *s, struct
buffer *req, int an_bit)
*/
if ((s->fe->options | s->be->options) & PR_O_FWDFOR) {
struct hdr_ctx ctx = { .idx = 0 };
-
if (!((s->fe->options | s->be->options) & PR_O_FF_ALWAYS) &&
- http_find_header2(s->be->fwdfor_hdr_name,
s->be->fwdfor_hdr_len, req->p, &txn->hdr_idx, &ctx)) {
+ http_find_header2(s->be->fwdfor_hdr_len ?
s->be->fwdfor_hdr_name : s->fe->fwdfor_hdr_name,
+ s->be->fwdfor_hdr_len ?
s->be->fwdfor_hdr_len : s->fe->fwdfor_hdr_len,
+ req->p, &txn->hdr_idx, &ctx)) {
/* The header is set to be added only if none is present
* and we found it, so don't do anything.
*/
--
1.7.10
