fix: retain proxy headers when behind proxy (#88)

alukach · web-flow · commit 74780f02e479 · 2025-09-02T21:57:44.000-07:00
When applying proxy headers to upstream requests, we should first attempt to retrieve those headers from the request. These requests may already be set if the STAC Auth Proxy is itself behind a reverse proxy (e.g., NGINX). Related to #86
diff --git a/src/stac_auth_proxy/handlers/reverse_proxy.py b/src/stac_auth_proxy/handlers/reverse_proxy.py
@@ -37,14 +37,18 @@ def _prepare_headers(self, request: Request) -> MutableHeaders:
         headers = MutableHeaders(request.headers)
         headers.setdefault("Via", f"1.1 {self.proxy_name}")
 
-        proxy_client = request.client.host if request.client else "unknown"
-        proxy_proto = request.url.scheme
-        proxy_host = request.url.netloc
-        proxy_path = request.base_url.path
+        proxy_client = headers.get(
+            "X-Forwarded-For", request.client.host if request.client else "unknown"
+        )
+        proxy_proto = headers.get("X-Forwarded-Proto", request.url.scheme)
+        proxy_host = headers.get("X-Forwarded-Host", request.url.netloc)
+        proxy_path = headers.get("X-Forwarded-Path", request.base_url.path)
         headers.setdefault(
             "Forwarded",
             f"for={proxy_client};host={proxy_host};proto={proxy_proto};path={proxy_path}",
         )
+
+        # NOTE: This is useful if the upstream API does not support the Forwarded header
         if self.legacy_forwarded_headers:
             headers.setdefault("X-Forwarded-For", proxy_client)
             headers.setdefault("X-Forwarded-Host", proxy_host)
diff --git a/tests/test_reverse_proxy.py b/tests/test_reverse_proxy.py
@@ -6,10 +6,9 @@
 from stac_auth_proxy.handlers.reverse_proxy import ReverseProxyHandler
 
 
-@pytest.fixture
-def mock_request():
-    """Create a mock FastAPI request."""
-    scope = {
+def create_request(scope_overrides=None, headers=None):
+    """Create a mock FastAPI request with custom scope and headers."""
+    default_scope = {
         "type": "http",
         "method": "GET",
         "path": "/test",
@@ -19,7 +18,20 @@ def mock_request():
             (b"accept", b"application/json"),
         ],
     }
-    return Request(scope)
+
+    if scope_overrides:
+        default_scope.update(scope_overrides)
+
+    if headers:
+        default_scope["headers"] = headers
+
+    return Request(default_scope)
+
+
+@pytest.fixture
+def mock_request():
+    """Create a mock FastAPI request."""
+    return create_request()
 
 
 @pytest.fixture
@@ -28,15 +40,33 @@ def reverse_proxy_handler():
     return ReverseProxyHandler(upstream="http://upstream-api.com")
 
 
+@pytest.mark.parametrize(
+    "legacy_headers,override_host,proxy_name,expected_host,expected_via",
+    [
+        (False, True, "stac-auth-proxy", "upstream-api.com", "1.1 stac-auth-proxy"),
+        (True, True, "stac-auth-proxy", "upstream-api.com", "1.1 stac-auth-proxy"),
+        (False, False, "stac-auth-proxy", "localhost:8000", "1.1 stac-auth-proxy"),
+        (False, True, "custom-proxy", "upstream-api.com", "1.1 custom-proxy"),
+    ],
+)
 @pytest.mark.asyncio
-async def test_basic_headers(mock_request, reverse_proxy_handler):
-    """Test that basic headers are properly set."""
-    headers = reverse_proxy_handler._prepare_headers(mock_request)
+async def test_basic_headers(
+    mock_request, legacy_headers, override_host, proxy_name, expected_host, expected_via
+):
+    """Test basic header functionality with various configurations."""
+    handler = ReverseProxyHandler(
+        upstream="http://upstream-api.com",
+        legacy_forwarded_headers=legacy_headers,
+        override_host=override_host,
+        proxy_name=proxy_name,
+    )
+    headers = handler._prepare_headers(mock_request)
 
     # Check standard headers
-    assert headers["Host"] == "upstream-api.com"
+    assert headers["Host"] == expected_host
     assert headers["User-Agent"] == "test-agent"
     assert headers["Accept"] == "application/json"
+    assert headers["Via"] == expected_via
 
     # Check modern forwarded header
     assert "Forwarded" in headers
@@ -46,60 +76,28 @@ async def test_basic_headers(mock_request, reverse_proxy_handler):
     assert "proto=http" in forwarded
     assert "path=/" in forwarded
 
-    # Check Via header
-    assert headers["Via"] == "1.1 stac-auth-proxy"
-
-    # Legacy headers should not be present by default
-    assert "X-Forwarded-For" not in headers
-    assert "X-Forwarded-Host" not in headers
-    assert "X-Forwarded-Proto" not in headers
-    assert "X-Forwarded-Path" not in headers
-
-
-@pytest.mark.asyncio
-async def test_legacy_forwarded_headers(mock_request):
-    """Test that legacy X-Forwarded-* headers are set when enabled."""
-    handler = ReverseProxyHandler(
-        upstream="http://upstream-api.com", legacy_forwarded_headers=True
-    )
-    headers = handler._prepare_headers(mock_request)
-
-    # Check legacy headers
-    assert headers["X-Forwarded-For"] == "unknown"
-    assert headers["X-Forwarded-Host"] == "localhost:8000"
-    assert headers["X-Forwarded-Proto"] == "http"
-    assert headers["X-Forwarded-Path"] == "/"
-
-    # Modern Forwarded header should still be present
-    assert "Forwarded" in headers
-
-
-@pytest.mark.asyncio
-async def test_override_host_disabled(mock_request):
-    """Test that host override can be disabled."""
-    handler = ReverseProxyHandler(
-        upstream="http://upstream-api.com", override_host=False
-    )
-    headers = handler._prepare_headers(mock_request)
-    assert headers["Host"] == "localhost:8000"
-
-
-@pytest.mark.asyncio
-async def test_custom_proxy_name(mock_request):
-    """Test that custom proxy name is used in Via header."""
-    handler = ReverseProxyHandler(
-        upstream="http://upstream-api.com", proxy_name="custom-proxy"
-    )
-    headers = handler._prepare_headers(mock_request)
-    assert headers["Via"] == "1.1 custom-proxy"
+    # Check legacy headers based on configuration
+    if legacy_headers:
+        assert headers["X-Forwarded-For"] == "unknown"
+        assert headers["X-Forwarded-Host"] == "localhost:8000"
+        assert headers["X-Forwarded-Proto"] == "http"
+        assert headers["X-Forwarded-Path"] == "/"
+    else:
+        assert "X-Forwarded-For" not in headers
+        assert "X-Forwarded-Host" not in headers
+        assert "X-Forwarded-Proto" not in headers
+        assert "X-Forwarded-Path" not in headers
 
 
+@pytest.mark.parametrize("legacy_headers", [False, True])
 @pytest.mark.asyncio
-async def test_forwarded_headers_with_client(mock_request):
+async def test_forwarded_headers_with_client(mock_request, legacy_headers):
     """Test forwarded headers when client information is available."""
     # Add client information to the request
     mock_request.scope["client"] = ("192.168.1.1", 12345)
-    handler = ReverseProxyHandler(upstream="http://upstream-api.com")
+    handler = ReverseProxyHandler(
+        upstream="http://upstream-api.com", legacy_forwarded_headers=legacy_headers
+    )
     headers = handler._prepare_headers(mock_request)
 
     # Check modern Forwarded header
@@ -109,56 +107,37 @@ async def test_forwarded_headers_with_client(mock_request):
     assert "proto=http" in forwarded
     assert "path=/" in forwarded
 
-    # Legacy headers should not be present by default
-    assert "X-Forwarded-For" not in headers
-    assert "X-Forwarded-Host" not in headers
-    assert "X-Forwarded-Proto" not in headers
-    assert "X-Forwarded-Path" not in headers
+    # Check legacy headers based on configuration
+    if legacy_headers:
+        assert headers["X-Forwarded-For"] == "192.168.1.1"
+        assert headers["X-Forwarded-Host"] == "localhost:8000"
+        assert headers["X-Forwarded-Proto"] == "http"
+        assert headers["X-Forwarded-Path"] == "/"
+    else:
+        assert "X-Forwarded-For" not in headers
+        assert "X-Forwarded-Host" not in headers
+        assert "X-Forwarded-Proto" not in headers
+        assert "X-Forwarded-Path" not in headers
 
 
+@pytest.mark.parametrize("legacy_headers", [False, True])
 @pytest.mark.asyncio
-async def test_legacy_forwarded_headers_with_client(mock_request):
-    """Test legacy forwarded headers when client information is available."""
-    mock_request.scope["client"] = ("192.168.1.1", 12345)
+async def test_https_proto(mock_request, legacy_headers):
+    """Test that protocol is set correctly for HTTPS."""
+    mock_request.scope["scheme"] = "https"
     handler = ReverseProxyHandler(
-        upstream="http://upstream-api.com", legacy_forwarded_headers=True
+        upstream="http://upstream-api.com", legacy_forwarded_headers=legacy_headers
     )
     headers = handler._prepare_headers(mock_request)
 
-    # Check legacy headers
-    assert headers["X-Forwarded-For"] == "192.168.1.1"
-    assert headers["X-Forwarded-Host"] == "localhost:8000"
-    assert headers["X-Forwarded-Proto"] == "http"
-    assert headers["X-Forwarded-Path"] == "/"
-
-    # Modern Forwarded header should still be present
-    assert "Forwarded" in headers
-
-
-@pytest.mark.asyncio
-async def test_https_proto(mock_request):
-    """Test that X-Forwarded-Proto is set correctly for HTTPS."""
-    mock_request.scope["scheme"] = "https"
-    handler = ReverseProxyHandler(upstream="http://upstream-api.com")
-    headers = handler._prepare_headers(mock_request)
-
     # Check modern Forwarded header
     assert "proto=https" in headers["Forwarded"]
 
-    # Legacy headers should not be present by default
-    assert "X-Forwarded-Proto" not in headers
-
-
-@pytest.mark.asyncio
-async def test_https_proto_legacy(mock_request):
-    """Test that X-Forwarded-Proto is set correctly for HTTPS with legacy headers."""
-    mock_request.scope["scheme"] = "https"
-    handler = ReverseProxyHandler(
-        upstream="http://upstream-api.com", legacy_forwarded_headers=True
-    )
-    headers = handler._prepare_headers(mock_request)
-    assert headers["X-Forwarded-Proto"] == "https"
-    assert "proto=https" in headers["Forwarded"]
+    # Check legacy headers based on configuration
+    if legacy_headers:
+        assert headers["X-Forwarded-Proto"] == "https"
+    else:
+        assert "X-Forwarded-Proto" not in headers
 
 
 @pytest.mark.asyncio
@@ -171,3 +150,135 @@ async def test_non_standard_port(mock_request):
     handler = ReverseProxyHandler(upstream="http://upstream-api.com:8080")
     headers = handler._prepare_headers(mock_request)
     assert headers["Host"] == "upstream-api.com:8080"
+
+
+@pytest.mark.parametrize("legacy_headers", [False, True])
+@pytest.mark.asyncio
+async def test_nginx_proxy_headers_preserved(legacy_headers):
+    """Test that existing proxy headers from NGINX are preserved."""
+    # Simulate a request that already has proxy headers set by NGINX
+    headers = [
+        (b"host", b"localhost:8000"),
+        (b"user-agent", b"test-agent"),
+        (b"x-forwarded-for", b"203.0.113.1, 198.51.100.1"),
+        (b"x-forwarded-proto", b"https"),
+        (b"x-forwarded-host", b"api.example.com"),
+        (b"x-forwarded-path", b"/api/v1"),
+    ]
+    request = create_request(headers=headers)
+    handler = ReverseProxyHandler(
+        upstream="http://upstream-api.com", legacy_forwarded_headers=legacy_headers
+    )
+    headers = handler._prepare_headers(request)
+
+    # Check that the existing proxy headers are preserved in the Forwarded header
+    forwarded = headers["Forwarded"]
+    assert "for=203.0.113.1, 198.51.100.1" in forwarded
+    assert "host=api.example.com" in forwarded
+    assert "proto=https" in forwarded
+    assert "path=/api/v1" in forwarded
+
+    # The original headers should still be present (they're preserved from the request)
+    assert headers["X-Forwarded-For"] == "203.0.113.1, 198.51.100.1"
+    assert headers["X-Forwarded-Host"] == "api.example.com"
+    assert headers["X-Forwarded-Proto"] == "https"
+    assert headers["X-Forwarded-Path"] == "/api/v1"
+
+
+@pytest.mark.parametrize(
+    "scope_overrides,headers,expected_forwarded",
+    [
+        pytest.param(
+            {},
+            [
+                (b"host", b"localhost:8000"),
+                (b"user-agent", b"test-agent"),
+                (b"x-forwarded-for", b"203.0.113.1"),
+                (b"x-forwarded-proto", b"https"),
+                # Missing X-Forwarded-Host and X-Forwarded-Path
+            ],
+            {
+                "for": "203.0.113.1",  # From existing header
+                "host": "localhost:8000",  # Fallback to request host
+                "proto": "https",  # From existing header
+                "path": "/",  # Fallback to request path
+            },
+            id="partial_headers_fallback",
+        ),
+        pytest.param(
+            {"client": ("192.168.1.1", 12345)},  # This should be ignored
+            [
+                (b"host", b"localhost:8000"),
+                (b"user-agent", b"test-agent"),
+                (b"x-forwarded-for", b"203.0.113.1, 198.51.100.1"),
+            ],
+            {
+                "for": "203.0.113.1, 198.51.100.1",  # From existing header
+                "host": "localhost:8000",
+                "proto": "http",
+                "path": "/",
+            },
+            id="client_info_precedence",
+        ),
+        pytest.param(
+            {"scheme": "https"},  # This should be ignored
+            [
+                (b"host", b"localhost:8000"),
+                (b"user-agent", b"test-agent"),
+                (b"x-forwarded-proto", b"http"),  # NGINX says it's HTTP
+            ],
+            {
+                "for": "unknown",
+                "host": "localhost:8000",
+                "proto": "http",  # From existing header
+                "path": "/",
+            },
+            id="scheme_precedence",
+        ),
+        pytest.param(
+            {"path": "/custom/path"},
+            [
+                (b"host", b"localhost:8000"),
+                (b"user-agent", b"test-agent"),
+                (b"x-forwarded-path", b"/api/v1/root"),  # NGINX says different path
+            ],
+            {
+                "for": "unknown",
+                "host": "localhost:8000",
+                "proto": "http",
+                "path": "/api/v1/root",  # From existing header
+            },
+            id="path_precedence",
+        ),
+        pytest.param(
+            {},
+            [
+                (b"host", b"localhost:8000"),
+                (b"user-agent", b"test-agent"),
+                (b"X-Forwarded-For", b"203.0.113.1"),  # Mixed case
+                (b"x-forwarded-proto", b"https"),  # Lower case
+                (b"X-FORWARDED-HOST", b"api.example.com"),  # Upper case
+            ],
+            {
+                "for": "203.0.113.1",
+                "host": "api.example.com",
+                "proto": "https",
+                "path": "/",
+            },
+            id="case_insensitive",
+        ),
+    ],
+)
+@pytest.mark.asyncio
+async def test_nginx_headers_behavior(scope_overrides, headers, expected_forwarded):
+    """Test various NGINX header behaviors and precedence rules."""
+    request = create_request(scope_overrides=scope_overrides, headers=headers)
+    handler = ReverseProxyHandler(upstream="http://upstream-api.com")
+    result_headers = handler._prepare_headers(request)
+
+    # Check that the Forwarded header contains expected values
+    forwarded = result_headers["Forwarded"]
+    for key, expected_value in expected_forwarded.items():
+        assert (
+            f"{key}={expected_value}" in forwarded
+        ), f"Expected {key}={expected_value} in {forwarded}"
