author | Alberto Bertogli
<albertito@blitiri.com.ar> 2020-06-06 15:33:59 UTC |
committer | Alberto Bertogli
<albertito@blitiri.com.ar> 2020-06-06 15:33:59 UTC |
parent | 820ea96d9561dfca8e4af71509ee3af627564ae3 |
server/http.go | +4 | -0 |
diff --git a/server/http.go b/server/http.go index aa51019..1949a28 100644 --- a/server/http.go +++ b/server/http.go @@ -162,6 +162,10 @@ func makeProxy(from string, to url.URL, conf *config.HTTP) http.Handler { req.Header.Set("User-Agent", "") } + // Strip X-Forwarded-For header, since we don't trust what the client + // sent, and the reverse proxy will append to. + req.Header.Del("X-Forwarded-For") + // Note we don't do this so we can have routes independent of virtual // hosts. The downside is that if the destination scheme is HTTPS, // this causes issues with the TLS SNI negotiation.