git » gofer » commit 0e78a53

http: Remove X-Forwarded-For from incoming requests

author Alberto Bertogli
2020-06-06 15:33:59 UTC
committer Alberto Bertogli
2020-06-06 15:33:59 UTC
parent 820ea96d9561dfca8e4af71509ee3af627564ae3
http: Remove X-Forwarded-For from incoming requests

External incoming requests might have X-Forwarded-For set, causing the
reverse proxy to append to it instead of replacing it entirely.

This patch removes the X-Forwarded-For header, to prevent this.
server/http.go +4 -0 
diff --git a/server/http.go b/server/http.go
index aa51019..1949a28 100644
--- a/server/http.go
+++ b/server/http.go
@@ -162,6 +162,10 @@ func makeProxy(from string, to url.URL, conf *config.HTTP) http.Handler {
 			req.Header.Set("User-Agent", "")
 		}
 
+		// Strip X-Forwarded-For header, since we don't trust what the client
+		// sent, and the reverse proxy will append to.
+		req.Header.Del("X-Forwarded-For")
+
 		// Note we don't do this so we can have routes independent of virtual
 		// hosts. The downside is that if the destination scheme is HTTPS,
 		// this causes issues with the TLS SNI negotiation.