From bde6c90c8fa21ba57107f0c0d93629e116eb5e31 Mon Sep 17 00:00:00 2001 From: Zac Blazic Date: Fri, 28 Mar 2025 14:38:18 +0200 Subject: [PATCH 1/5] Set $forwarded_ variables based on original forwarded headers Prefer setting $forwarded_ with $http_x_original_forwarded headers if they exist, otherwise fallback to $proxy_x_forwarded headers. --- config/http.conf | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/config/http.conf b/config/http.conf index 2b0ba5e..e5d48b5 100644 --- a/config/http.conf +++ b/config/http.conf @@ -49,6 +49,33 @@ http { '' $server_port; } + # If we receive X-Original-Forwarded-Host, use it; otherwise, use + # the value of X-Forwarded-Host + map $http_x_original_forwarded_host $forwarded_host { + default $http_x_original_forwarded_host; + '' $proxy_x_forwarded_host; + } + + # If we receive X-Original-Forwarded-Port, use it; otherwise, use + # the value of X-Forwarded-Port + map $http_x_original_forwarded_port $forwarded_port { + default $http_x_original_forwarded_port; + '' $proxy_x_forwarded_port; + } + + # If we receive X-Original-Forwarded-Proto, use it; otherwise, use + map $http_x_original_forwarded_proto $forwarded_proto { + default $http_x_original_forwarded_proto; + '' $proxy_x_forwarded_proto; + } + + # If we receive X-Original-Forwarded-Ssl, use it; otherwise, use + # the value of X-Forwarded-Ssl + map $http_x_original_forwarded_ssl $forwarded_ssl { + default $http_x_original_forwarded_ssl; + '' $proxy_x_forwarded_ssl; + } + # If we receive X-Request-ID, pass it through; otherwise, pass along the # request_id generated by nginx map $http_x_request_id $proxy_x_request_id { From e38113bd5c9be5cc1a891fe8d6c9e1712b3d3f09 Mon Sep 17 00:00:00 2001 From: Zac Blazic Date: Fri, 28 Mar 2025 14:43:57 +0200 Subject: [PATCH 2/5] Rename variables to be more clear --- config/http.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/http.conf b/config/http.conf index e5d48b5..cd3cd8d 100644 --- a/config/http.conf +++ b/config/http.conf @@ -51,27 +51,27 @@ http { # If we receive X-Original-Forwarded-Host, use it; otherwise, use # the value of X-Forwarded-Host - map $http_x_original_forwarded_host $forwarded_host { + map $http_x_original_forwarded_host $proxy_x_forwarded_host_final { default $http_x_original_forwarded_host; '' $proxy_x_forwarded_host; } # If we receive X-Original-Forwarded-Port, use it; otherwise, use # the value of X-Forwarded-Port - map $http_x_original_forwarded_port $forwarded_port { + map $http_x_original_forwarded_port $proxy_x_forwarded_port_final { default $http_x_original_forwarded_port; '' $proxy_x_forwarded_port; } # If we receive X-Original-Forwarded-Proto, use it; otherwise, use - map $http_x_original_forwarded_proto $forwarded_proto { + map $http_x_original_forwarded_proto $proxy_x_forwarded_proto_final { default $http_x_original_forwarded_proto; '' $proxy_x_forwarded_proto; } # If we receive X-Original-Forwarded-Ssl, use it; otherwise, use # the value of X-Forwarded-Ssl - map $http_x_original_forwarded_ssl $forwarded_ssl { + map $http_x_original_forwarded_ssl $proxy_x_forwarded_ssl_final { default $http_x_original_forwarded_ssl; '' $proxy_x_forwarded_ssl; } @@ -98,12 +98,12 @@ http { proxy_set_header Proxy ""; proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; - proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; - proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; proxy_set_header X-Request-ID $proxy_x_request_id; - proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto_final; + proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl_final; + proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port_final; + proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host_final; proxy_set_header X-Request-Start "t=${msec}"; # Latency headers From d5e77526b754f5df19c0f9642f42cb664b463180 Mon Sep 17 00:00:00 2001 From: Zac Blazic Date: Fri, 28 Mar 2025 14:44:32 +0200 Subject: [PATCH 3/5] Sort maps & x-forwarded headers --- config/http.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/http.conf b/config/http.conf index cd3cd8d..5c00575 100644 --- a/config/http.conf +++ b/config/http.conf @@ -28,6 +28,13 @@ http { '' $host; } + # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the + # server port the client connected to + map $http_x_forwarded_port $proxy_x_forwarded_port { + default $http_x_forwarded_port; + '' $server_port; + } + # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto { @@ -42,13 +49,6 @@ http { https on; } - # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the - # server port the client connected to - map $http_x_forwarded_port $proxy_x_forwarded_port { - default $http_x_forwarded_port; - '' $server_port; - } - # If we receive X-Original-Forwarded-Host, use it; otherwise, use # the value of X-Forwarded-Host map $http_x_original_forwarded_host $proxy_x_forwarded_host_final { @@ -100,10 +100,10 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Request-ID $proxy_x_request_id; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host_final; + proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port_final; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto_final; proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl_final; - proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port_final; - proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host_final; proxy_set_header X-Request-Start "t=${msec}"; # Latency headers From aa4f1fa9dff3aa63a6aff204f79e684df311f9d4 Mon Sep 17 00:00:00 2001 From: Zac Blazic Date: Fri, 28 Mar 2025 14:48:06 +0200 Subject: [PATCH 4/5] Fix comment --- config/http.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/config/http.conf b/config/http.conf index 5c00575..c31b2e1 100644 --- a/config/http.conf +++ b/config/http.conf @@ -64,6 +64,7 @@ http { } # If we receive X-Original-Forwarded-Proto, use it; otherwise, use + # the value of X-Forwarded-Proto map $http_x_original_forwarded_proto $proxy_x_forwarded_proto_final { default $http_x_original_forwarded_proto; '' $proxy_x_forwarded_proto; From a66c6c2572e73508aeabd1e92688b7796e2fc8f9 Mon Sep 17 00:00:00 2001 From: Zac Blazic Date: Fri, 28 Mar 2025 15:07:09 +0200 Subject: [PATCH 5/5] Update changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5070ecb..f50145f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 1.27.1-1 + +* Allow `X-Original-Forwaded-*` headers to take priority when setting `X-Forwarded-*` headers. + ## 1.27.1 * Update base image to `zappi/nginx:1.27.1`.