Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http/httputil: do not add to empty X-Forwarded-For header in ReverseProxy #38079

Closed
AmoVanB opened this issue Mar 25, 2020 · 7 comments
Closed

net/http/httputil: do not add to empty X-Forwarded-For header in ReverseProxy #38079

AmoVanB opened this issue Mar 25, 2020 · 7 comments
Labels
FrozenDueToAge Proposal Proposal-Accepted
Projects
Proposals (old)
Milestone
Go1.15

Comments

@AmoVanB
Copy link

AmoVanB commented Mar 25, 2020

What version of Go are you using (go version)?

$ go version
go version go1.13.8 linux/386

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="386"
GOBIN="~/go/bin/"
GOCACHE="~/.cache/go-build"
GOENV="~/.config/go/env"
GOEXE=""
GOFLAGS=" -mod=vendor"
GOHOSTARCH="386"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="~/go"
GOPRIVATE=""
GOPROXY="direct"
GOROOT="/usr/local/go1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go1.13/pkg/tool/linux_386"
GCCGO="gccgo"
GO386="sse2"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="~/git/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m32 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build275301714=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I'm simply using the ReverseProxy (https://github.com/golang/go/blob/master/src/net/http/httputil/reverseproxy.go) to implement an HTTP proxy. By default, and as documented, ReverseProxy automatically sets the client IP as the value of the X-Forwarded-For header. If an X-Forwarded-For header already exists, the client IP is appended to the existing values.. In our situation, the proxy should be transparent and invisible to the servers, so we'd like the proxy not to add any headers to the HTTP requests he forwards. Unfortunately, there is no option to disable the addition of the X-Forwarded-For header. Unless I'm mistaken, there is also no way to remove this header manually before messages are forwarded (like through a hook or something that is called at some point).

What did you expect to see?

An option in the ReverseProxy struct to disable the X-Forwarded-For header. For example, something like disableForwardedForHeader bool, which would be false per default, that means that the behavior stays like now. If true, the proxy wouldn't set the X-Forwarded-For header, through, e.g., if !p.disableForwardedForHeader at line 246 of https://github.com/golang/go/blob/master/src/net/http/httputil/reverseproxy.go.

Another option would be to add a hook that can modify the request just before the proxy sends/forwards it. That would actually be a more elegant and general solution. That could be the current Director hook, but then it should be called later in the ServeHTTP function, i.e., just before transport.RoundTrip(outreq). Not sure if that would have any other bad impact. In any case, another hook is possible.

What did you see instead?

No option and the proxy always sets the X-Forwarded-For header.
@andybons andybons changed the title net/http/httputil: option for ReverseProxy not to set the X-Forwarded-For header proposal: net/http/httputil: option for ReverseProxy to not set the X-Forwarded-For header Apr 3, 2020
@gopherbot gopherbot added this to the Proposal milestone Apr 3, 2020
@andybons andybons added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Apr 3, 2020
@andybons andybons removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Apr 3, 2020
@rsc rsc added this to Incoming in Proposals (old) Apr 15, 2020
@rsc
Copy link
Contributor

rsc commented Apr 15, 2020

Discussed with @bradfitz. Looks like if Header["X-Forwarded-For"] is a present nil (that is, not missing from the map entirely, but empty) today, you'd end up with "X-Forwarded-For: , 1.2.3.4" (with an empty string before the comma). We could redefine a present nil to mean don't add anything to the header. We do that elsewhere in net/http already, so it is what a user might try even without docs. Maybe that's the way forward?

@rsc rsc moved this from Incoming to Active in Proposals (old) Apr 15, 2020
@rsc rsc mentioned this issue Apr 15, 2020
Open
@AmoVanB
Copy link
Author

AmoVanB commented Apr 15, 2020

I think that could make sense. Especially as the current situation of having a "X-Forwarded-For: , 1.2.3.4" header does not really make sense.

@rsc rsc changed the title proposal: net/http/httputil: option for ReverseProxy to not set the X-Forwarded-For header proposal: net/http/httputil: do not add to empty X-Forwarded-For header Apr 22, 2020
@rsc rsc changed the title proposal: net/http/httputil: do not add to empty X-Forwarded-For header proposal: net/http/httputil: do not add to empty X-Forwarded-For header in ReverseProxy Apr 22, 2020
@rsc
Copy link
Contributor

rsc commented Apr 22, 2020

It sounds like the proposal two comments up (don't add to an already-empty X-Forwarded-For) would fix the problem and that people are at least not objecting. I've retitled.

Does anyone object to doing this?

@rsc
Copy link
Contributor

rsc commented Apr 29, 2020

Based on the discussion, this seems like a likely accept.

@rsc rsc moved this from Active to Likely Accept in Proposals (old) Apr 29, 2020
@gopherbot
Copy link

Change https://golang.org/cl/230937 mentions this issue: net/http/httputil: don't append to X-Forwarded-For in ReverseProxy when nil

1 similar comment
@gopherbot
Copy link

Change https://golang.org/cl/230937 mentions this issue: net/http/httputil: don't append to X-Forwarded-For in ReverseProxy when nil

@rsc
Copy link
Contributor

rsc commented May 6, 2020

No change in consensus, so accepted. (CL committed already.)

@rsc rsc moved this from Likely Accept to Accepted in Proposals (old) May 6, 2020
@rsc rsc modified the milestones: Proposal, Go1.15 May 6, 2020
@rsc rsc changed the title proposal: net/http/httputil: do not add to empty X-Forwarded-For header in ReverseProxy net/http/httputil: do not add to empty X-Forwarded-For header in ReverseProxy May 6, 2020
xujianhai666 pushed a commit to xujianhai666/go-1 that referenced this issue May 21, 2020
@bradfitz @xujianhai666
net/http/httputil: don't append to X-Forwarded-For in ReverseProxy wh…
3938cc3 
…en nil

Fixes golang#38079

Change-Id: Iac02d7f9574061bb26d1d9a41bb6ee6cc38934e5
Reviewed-on: https://go-review.googlesource.com/c/go/+/230937
Reviewed-by: Ian Lance Taylor <iant@golang.org>
@golang golang locked and limited conversation to collaborators May 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Proposal Proposal-Accepted
Projects
No open projects
Proposals (old)
Accepted
Milestone
Go1.15
Development

No branches or pull requests
4 participants
@rsc @andybons @gopherbot @AmoVanB