[undertow-dev] Proxy handler clobbering X-Forwarded-Proto header

Stuart Douglas sdouglas at redhat.com
Wed Apr 1 03:48:39 EDT 2015 

This was basically an oversight. I have pushed up a fix (hopefully) to master and the 1.1 branch.

Stuart

----- Original Message -----
> From: "Shannon Lloyd" <shanloid at gmail.com>
> To: undertow-dev at lists.jboss.org
> Sent: Wednesday, 1 April, 2015 4:25:56 PM
> Subject: [undertow-dev] Proxy handler clobbering X-Forwarded-Proto header
> 
> We have a setup which looks like this:
> 
> AWS ELB --> Undertow Service A with ProxyHandler --> Undertow Service B
> 
> Traffic comes in to the ELB on HTTPS, the SSL gets terminated, and HTTP
> traffic flows through to service A with the X-Forwarded-Proto header set to
> https. We then proxy HTTP traffic through to service B, which is responsible
> for (amongst other things) generating links. In order to generate these
> links it needs to know the scheme/protocol on which to make requests from
> the internet to the ELB.
> 
> Sadly, it looks like the Undertow proxy handler is clobbering this
> information by naively assuming that the request scheme used to hit this
> Undertow service should be the forwarded proto (ProxyHandler lines 434-436):
> 
> // Set the protocol header and attachment
> final String proto = exchange.getRequestScheme().equals("https") ? "https" :
> "http";
> request.getRequestHeaders().put(Headers.X_FORWARDED_PROTO, proto);
> 
> This does not check to see if there is a pre-existing proto header already
> set. In our case there is one, and it is set to https, but once it passes
> through this block, it has been rewritten to http, which is incorrect.
> 
> I noticed that higher up in the ProxyHandler logic where it handled
> X-Forwarded-For it actually employs some logic (configurable) to not clobber
> any existing value. I get why this is - because it can be a list of
> addresses - but is there some reason why we wouldn't want a similar check
> for the original protocol?
> 
> Our workaround for this is to copy the proto header into a custom header via
> a HttpHandler, ensuring that it gets copied from the incoming exchange to
> the outgoing exchange without being touched by Undertow, but this is a bit
> of a hack. Ideally we'd prefer any pre-existing proto header to be
> preserved, and to only use the request scheme as the fallback when no header
> exists.
> 
> Cheers,
> Shannon
> 
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev

More information about the undertow-dev mailing list