New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http/httputil: do not add to empty X-Forwarded-For header in ReverseProxy #38079
Comments
Discussed with @bradfitz. Looks like if Header["X-Forwarded-For"] is a present nil (that is, not missing from the map entirely, but empty) today, you'd end up with "X-Forwarded-For: , 1.2.3.4" (with an empty string before the comma). We could redefine a present nil to mean don't add anything to the header. We do that elsewhere in net/http already, so it is what a user might try even without docs. Maybe that's the way forward? |
I think that could make sense. Especially as the current situation of having a "X-Forwarded-For: , 1.2.3.4" header does not really make sense. |
It sounds like the proposal two comments up (don't add to an already-empty X-Forwarded-For) would fix the problem and that people are at least not objecting. I've retitled. Does anyone object to doing this? |
Based on the discussion, this seems like a likely accept. |
Change https://golang.org/cl/230937 mentions this issue: |
1 similar comment
Change https://golang.org/cl/230937 mentions this issue: |
No change in consensus, so accepted. (CL committed already.) |
…en nil Fixes golang#38079 Change-Id: Iac02d7f9574061bb26d1d9a41bb6ee6cc38934e5 Reviewed-on: https://go-review.googlesource.com/c/go/+/230937 Reviewed-by: Ian Lance Taylor <iant@golang.org>
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I'm simply using the
ReverseProxy
(https://github.com/golang/go/blob/master/src/net/http/httputil/reverseproxy.go) to implement an HTTP proxy. By default, and as documented,ReverseProxy automatically sets the client IP as the value of the X-Forwarded-For header. If an X-Forwarded-For header already exists, the client IP is appended to the existing values.
. In our situation, the proxy should be transparent and invisible to the servers, so we'd like the proxy not to add any headers to the HTTP requests he forwards. Unfortunately, there is no option to disable the addition of theX-Forwarded-For
header. Unless I'm mistaken, there is also no way to remove this header manually before messages are forwarded (like through a hook or something that is called at some point).What did you expect to see?
An option in the
ReverseProxy
struct to disable theX-Forwarded-For
header. For example, something likedisableForwardedForHeader bool
, which would befalse
per default, that means that the behavior stays like now. Iftrue
, the proxy wouldn't set theX-Forwarded-For
header, through, e.g.,if !p.disableForwardedForHeader
at line 246 of https://github.com/golang/go/blob/master/src/net/http/httputil/reverseproxy.go.Another option would be to add a hook that can modify the request just before the proxy sends/forwards it. That would actually be a more elegant and general solution. That could be the current
Director
hook, but then it should be called later in theServeHTTP
function, i.e., just beforetransport.RoundTrip(outreq)
. Not sure if that would have any other bad impact. In any case, another hook is possible.What did you see instead?
No option and the proxy always sets the
X-Forwarded-For
header.The text was updated successfully, but these errors were encountered: