Use X-Forwarded-Proto to determine port #634
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using `X-Forwarded-Port` seems to be discouraged as it allows spoofing according to the Caddy proxy devs [0]: "For these X-Forwarded-* headers, by default, the proxy will ignore their values from incoming requests, to prevent spoofing." Instead we should use the X-Forwarded-Proto header to infer the port that the proxy was called at. So https indicates port 443, while http indicates port 80. Fixes SAML-Toolkits#633 [0]: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy?utm_source=chatgpt.com#defaults
Contributor
|
Hi @MetroMarv In this PR, you are assuming that proxies using HTTP_X_FORWARDED_PROTO and not providing HTTP_X_FORWARDED_PORT expect the "default" ports for those protocols to be used. Nothing in the Forwarded header documentation indicates that this should be the followed behavior. Applying this change could break environments not expecting the new behavior being introduced, so not merging it until it is clear that should be the behavior to follow. |
Author
|
As mentioned in the referenced ticket. My knowledge is purely based on ChatGPT. Maybe it doesn't make sense. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using
X-Forwarded-Portseems to be discouraged as it allows spoofing according to the Caddy proxy devs 0:"For these X-Forwarded-* headers, by default, the proxy will ignore their values from incoming requests, to prevent spoofing."
Instead we should use the X-Forwarded-Proto header to infer the port that the proxy was called at. So https indicates port 443, while http indicates port 80.
Fixes #633