Rewrite host header to match upstream URL

The proxy was forwarding the original host header from the inbound
connection, causing 403s from services like Cloudflare that validate
the Host header against the target domain. Now the host header is
always derived from the upstream URL for both filtered conn headers
and caller-supplied headers.

Author: stuartc

lib/philter.ex

@@ -132,9 +132,10 @@ defmodule Philter do
       callbacks. See `Philter.Handler` for the callback interface.
 
     * `:headers` - Pre-assembled outbound request headers as `[{name, value}]`
-      tuples. When provided, these headers are sent as-is to the upstream
-      (no filtering of `conn.req_headers`, no hop-by-hop removal). When omitted,
-      `conn.req_headers` are filtered (hop-by-hop removed, keys lowercased).
+      tuples. When provided, these replace `conn.req_headers` (no hop-by-hop
+      filtering). When omitted, `conn.req_headers` are filtered (hop-by-hop
+      removed, keys lowercased). In both cases, the `host` header is rewritten
+      to match the upstream server.
 
     * `:finch_name` - Finch pool name. Default: configured value (see `Philter.Config`).
 
@@ -174,7 +175,7 @@ defmodule Philter do
     path = resolve_path(opts, conn)
     upstream_url = build_upstream_url(upstream, path, conn.query_string)
     req_content_type = get_content_type(conn.req_headers)
-    outbound_headers = resolve_outbound_headers(opts, conn)
+    outbound_headers = build_outbound_headers(Keyword.get(opts, :headers), conn, upstream)
 
     # Notify handler of request start
     case notify_request_started(handler, %{
@@ -372,10 +373,30 @@ defmodule Philter do
     end
   end
 
-  defp resolve_outbound_headers(opts, conn) do
-    case Keyword.get(opts, :headers) do
-      nil -> filter_request_headers(conn.req_headers)
-      headers when is_list(headers) -> headers
+  defp build_outbound_headers(nil, conn, upstream) do
+    conn.req_headers
+    |> filter_request_headers()
+    |> put_host_header(extract_host(upstream))
+  end
+
+  defp build_outbound_headers(headers, _conn, upstream) do
+    put_host_header(headers, extract_host(upstream))
+  end
+
+  defp put_host_header(headers, host) do
+    Enum.reject(headers, &host_header?/1) ++ [{"host", host}]
+  end
+
+  defp host_header?({k, _}), do: String.downcase(k) == "host"
+
+  defp extract_host(url) do
+    uri = URI.parse(url)
+
+    case uri.port do
+      nil -> uri.host
+      80 -> uri.host
+      443 -> uri.host
+      port -> "#{uri.host}:#{port}"
     end
   end
 

test/philter_test.exs

@@ -224,7 +224,7 @@ defmodule PhilterTest do
       Bypass.expect(bypass, "POST", "/api", fn conn ->
         assert Plug.Conn.get_req_header(conn, "authorization") == ["Bearer test"]
         assert Plug.Conn.get_req_header(conn, "content-type") == ["application/json"]
-        # Caller-supplied headers are sent as-is, no hop-by-hop filtering
+        # Caller-supplied headers bypass hop-by-hop filtering (host is still rewritten)
         Plug.Conn.send_resp(conn, 200, "ok")
       end)
 
@@ -265,6 +265,46 @@ defmodule PhilterTest do
       assert conn.status == 200
     end
 
+    test "rewrites host header to match upstream", %{bypass: bypass, upstream: upstream} do
+      Bypass.expect(bypass, "GET", "/host-check", fn conn ->
+        [host] = Plug.Conn.get_req_header(conn, "host")
+        assert host == "localhost:#{bypass.port}"
+        Plug.Conn.send_resp(conn, 200, "ok")
+      end)
+
+      conn =
+        conn(:get, "/host-check")
+        |> Map.put(:host, "original-host.example.com")
+        |> Philter.proxy(upstream: upstream, finch_name: Philter.TestFinch)
+
+      assert conn.status == 200
+    end
+
+    test "rewrites host header when caller-supplied headers provided", %{
+      bypass: bypass,
+      upstream: upstream
+    } do
+      Bypass.expect(bypass, "GET", "/host-check", fn conn ->
+        [host] = Plug.Conn.get_req_header(conn, "host")
+        assert host == "localhost:#{bypass.port}"
+        assert Plug.Conn.get_req_header(conn, "authorization") == ["Bearer tok"]
+        Plug.Conn.send_resp(conn, 200, "ok")
+      end)
+
+      conn =
+        conn(:get, "/host-check")
+        |> Philter.proxy(
+          upstream: upstream,
+          finch_name: Philter.TestFinch,
+          headers: [
+            {"host", "wrong-host.example.com"},
+            {"authorization", "Bearer tok"}
+          ]
+        )
+
+      assert conn.status == 200
+    end
+
     test "passes caller-supplied headers to handle_request_started metadata", %{
       bypass: bypass,
       upstream: upstream
@@ -285,7 +325,10 @@ defmodule PhilterTest do
         )
 
       assert_receive {:request_started, req_meta}
-      assert req_meta.headers == custom_headers
+      # Custom headers are present, plus host is rewritten to match upstream
+      assert {"authorization", "Bearer tok"} in req_meta.headers
+      assert {"x-custom", "val"} in req_meta.headers
+      assert {"host", _} = List.keyfind(req_meta.headers, "host", 0)
     end
 
     test "invokes handler on error with error info", %{upstream: _upstream} do