问题
I found out that X-Forwarded-Host HTTP header is not very well defined in the case of ports. Maybe that is the reason why various implementations behave differently when it comes to this header. Usually, this header can contain a port, e.g. b.com:123 which is straightforward. But what if it does NOT contain a port and server is running on non-default port? After my little research, I discovered that some implementations introduce "non-official" X-Forwarded-Port header.
Right now, I'm thinking of implementation on the server and my thoughts are that if X-Forwarded-Host header is present without port, then output URLs should not contain a port as well even if the server is running on different than the default port (if X-Forwarded-Port header is not present).
The situation gets worse when X-Forwarded-Proto header is present.
I created a simple table to describe how I would expect the server to behave and my question is:
Would you implement it the same? Is declared behavior intuitive to you? Thanks in advance.
| # | Request | X-F...-Proto | X-F...-Host | X-F...-Port | Output URL |
|:-:|:---------------------|:------------:|:-----------:|:-----------:|:---------------------|
| 1 | http://a.com:8080/x | -no- | -no- | -no- | http://a.com:8080/x |
| 2 | http://a.com:8080/x | https | -no- | -no- | https://a.com:8080/x |
| 3 | http://a.com:8080/x | -no- | b.com | -no- | http://b.com/x |
| 4 | http://a.com:8080/x | -no- | b.com:123 | -no- | http://b.com:123/x |
| 5 | http://a.com:8080/x | -no- | -no- | 123 | http://a.com:123/x |
| 6 | http://a.com:8080/x | -no- | b.com | 123 | http://b.com:123/x |
| 7 | http://a.com:8080/x | -no- | b.com:123 | -no- | http://b.com:123/x |
| 8 | http://a.com:8080/x | -no- | b.com:123 | 456 | http://b.com:456/x |
| 9 | http://a.com:8080/x | https | b.com | -no- | https://b.com/x |
|10 | http://a.com:8080/x | https | b.com | 123 | https://b.com:123/x |
|11 | xyzz://a.com:8080/x | -no- | b.com | -no- | xyzz://b.com:8080/x |
Pay attention to #3 and #9 which are the most tricky I think.
回答1:
As there is no answer so far, I asked a few people from our company that take care of infrastructures and web servers and they agreed that the proposed solution (table) is correct. So that:
X-Forwarded-Hostwithout port means use protocol default (80, 443)
In case anyone is interested in code (Java) = here is a pull request (PR) to Gravitee.io API Management platform that fixes behavior from the use of application default port (8083) to protocol default ports (80, 443) and adds support of X-Forwarded-Port.
来源:https://stackoverflow.com/questions/61429542/http-x-forwarded-host-behavior-without-port