Bug 58001 - Implement Forwarded header (RFC 7239) to mod_proxy_http
Summary: Implement Forwarded header (RFC 7239) to mod_proxy_http
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_http (show other bugs)
Version: 2.5-HEAD
Hardware: PC All
: P2 enhancement with 3 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2015-06-04 07:51 UTC by Takashi Sato
Modified: 2017-09-23 14:17 UTC (History)
1 user (show)

Add Forwarded header (36.22 KB, patch)
2017-08-08 20:48 UTC, Christian Schmidt
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Takashi Sato 2015-06-04 07:51:25 UTC
According to the document, mod_proxy_http supports X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server.
Last year RFC 7239 standardized a new Forwarded header.
Comment 1 Christian Schmidt 2017-08-08 20:48:29 UTC
Created attachment 35207 [details]
Add Forwarded header

This patch adds the Forwarded header in the same manor as X-Forwarded-*.

I added a new configuration variable, ProxyAddForwardedHeader, in addition to ProxyAddHeaders that controls the X-Forwarded-* headers. The default is Off in order to stay conservative, but I don't know what the general policy about such things is in this project.
Comment 2 best 2017-08-09 10:05:32 UTC
Cool! This looks good. Except that the content of the "Host" header is not escaped, which could raise security threats if the request Host header contains chars like ";

3635 host_param = apr_pstrcat(r->pool, "; host=\"", host, "\"", NULL);
Comment 3 Christian Schmidt 2017-08-09 18:46:22 UTC
AFAICT the Host header is already sanitized. All my attempts to inject invalid characters in this header result in a "400 Bad Request" response.

However, I am new to Apache development, so I'd appreciate any guidance on how to deal with this issue, i.e. which validation functions to use etc.