Bug 57563

Summary: Replace Host: header field when absolute request-target is used
Product: Apache httpd-2 Reporter: Tom Francis <tfrancis>
Component: mod_proxyAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED DUPLICATE    
Severity: minor    
Priority: P2    
Version: 2.4-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Attachments: Fix for proxy_util.c, adding check for absolute URI

Description Tom Francis 2015-02-11 03:09:59 UTC 
Created attachment 32449 [details]
Fix for proxy_util.c, adding check for absolute URI

Hi,

When mod_proxy processes requests that have an absolute request-target in the request-line, and ProxyPreserveHost is enabled, it incorrectly sends the original Host: header on to the origin server. According to RFC 7230, Section 5.4:

"When a proxy receives a request with an absolute-form of request-target, the proxy MUST ignore the received Host header field (if any) and instead replace it with the host information of the request-target.  A proxy that forwards such a request MUST generate a new Host field-value based on the received request-target rather than forward the received Host field-value."

It is certainly an abnormal scenario, but repeatable on the latest version of httpd (2.4.12) (I can provide use-case instructions if needed).

I have now spent a good chunk of time trying to understand the pertinent parts of the Apache Httpd source code and have come up with the following code snippet that, I believe, corrects this in the most suitable location, where mod_proxy gathers the incoming headers and prepares them for the outgoing request to the origin server or other downstream proxy. It only executes in the event that ProxyPreserveHost is set and then only if an absolute-form of request-target was supplied.

Although the RFC text in question specifically talks about proxy servers, Section 5.3.2 does state the following:

"To allow for transition to the absolute-form for all requests in some future version of HTTP, a server MUST accept the absolute-form in requests, even though HTTP/1.1 clients will only send them in requests to proxies."

Also, Section 5.2 of the now deprecated RFC2616 talks about how any origin server that recieves an absoluteURI in the Request-URI, must ignore the Host: header.

"1. If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored."

It does not specify if it should remove/modify the host header. Also I cannot find the equivalent wording in RFC7230 pertaining to this. I agree with https://issues.apache.org/bugzilla/show_bug.cgi?id=56718 that the Host: header should be modified so I will add additional comments there instead of creating a new bug report.

If this issue is fixed at the core level in the above linked bug, then it would no longer need to be addressed within mod_proxy.

Thanks,

Tom...
Comment 1 Yann Ylavic 2015-02-11 16:08:28 UTC 
I'd prefer this to be fixed at the core (protocol) level, including the non-proxy case, hence I'm marking this report as duplicate.
If there is no consensus on that point (in bug 56718), please reopen.

*** This bug has been marked as a duplicate of bug 56718 ***