According to the document, mod_proxy_http supports X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server. Last year RFC 7239 standardized a new Forwarded header.
Created attachment 35207 [details] Add Forwarded header This patch adds the Forwarded header in the same manor as X-Forwarded-*. I added a new configuration variable, ProxyAddForwardedHeader, in addition to ProxyAddHeaders that controls the X-Forwarded-* headers. The default is Off in order to stay conservative, but I don't know what the general policy about such things is in this project.
Cool! This looks good. Except that the content of the "Host" header is not escaped, which could raise security threats if the request Host header contains chars like "; 3635 host_param = apr_pstrcat(r->pool, "; host=\"", host, "\"", NULL);
AFAICT the Host header is already sanitized. All my attempts to inject invalid characters in this header result in a "400 Bad Request" response. However, I am new to Apache development, so I'd appreciate any guidance on how to deal with this issue, i.e. which validation functions to use etc.