> A few of our clients send us "GET https://host.example.com/path/to/url"; > style requests which some of our backends can't handle.
I'm not sure its a good idea to rewrite those request; clearly those clients are misconfigured. This are requests for forwarding proxies. You should deny service instead (and force them to fix their config). Rewriting those requests can open a security gap, imho. What if your backend is misconfigured as well and does forward proxying? Then your IP addresses will be abused as forwarding proxy and will soon appear on the "open proxies lists" on the internet. You don't want this. To answer your question: they way you are doing it seems correct to me; if you want to rewrite headers, I strongly suggest you include the header names, to avoid rewriting other headers, because they match your regexp as well (like in your case, the Referer). Lukas
