Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP Headers: X_FORWARDED_HOST vs HOST #1822

Open
return42 opened this issue Jan 31, 2020 · 2 comments
Open

HTTP Headers: X_FORWARDED_HOST vs HOST #1822

return42 opened this issue Jan 31, 2020 · 2 comments

Comments

@return42
Copy link
Collaborator

@return42 return42 commented Jan 31, 2020

When setting up searx behind a reverse proxy configuration (e.g. filtron). We have to set some HTTP Headers. For Apache I posted my reference site here #1819 (comment) ...

I can speak only for Apache (ngnix might be different): When setting the ProxyPass directive, the needed X-Forwarded-.. request headers are set implicit, see Reverse Proxy Request Headers.

I do not have much experience with HTTP, but I wonder: To work correct, searx also needs the Host header fixed to the same value as X-Forwarded-Host. Is this a bug or a feature?

If it is a bug, this would be my patch ..

diff --git a/searx/webapp.py b/searx/webapp.py
index aadefe6b..750ab9c5 100644
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -960,6 +960,9 @@ class ReverseProxyPathFix(object):
         self.app = app
 
     def __call__(self, environ, start_response):
+        http_host = environ.get('HTTP_X_FORWARDED_HOST', None)
+        if http_host:
+            environ['HTTP_HOST'] = http_host
         script_name = environ.get('HTTP_X_SCRIPT_NAME', '')
         if script_name:
             environ['SCRIPT_NAME'] = script_name

I tested the patch and for me it works like a charm . But I have a doubt, because my HTTP and Flask experiences is not much.

@unixfox

This comment has been minimized.

Copy link
Contributor

@unixfox unixfox commented Jan 31, 2020

X-Forwarded-Host is hardly ever used nowadays. Most of the reverse proxy override the "Host" HTTP header with the hostname.

PS: By the way, just a personal opinion. Stop using apache, it's slow and vulnerable to attacks like slow loris.
I think you should try caddy webserver. It automatically generates/manages the SSL certificates for you, by default its encryption settings are very good (whereas by default apache still allow TLS 1.0/1.1 which are deprecated since a long time ago) and it's easier to write a configuration file.
Small example from your comment #1819 (comment):

myhost.xxx {
   proxy /searx localhost:4004
     header_upstream X-Script-Name / searx
     transparent
   }
}
@return42

This comment has been minimized.

Copy link
Collaborator Author

@return42 return42 commented Jan 31, 2020

X-Forwarded-Host is hardly ever used nowadays. Most of the reverse proxy override the "Host" HTTP header with the hostname.

Good to know /Thanks .. with this in mind:

Apache does not overwrite the Host header, you have to set ProxyPreserveHost On for this. But you cant set this value on a Location level. Therefore my patch seems a good solution for Apache and will not break other HTTP server setups (this was my main doubt).

If no one has a veto I send a PR with the patch.

PS: Thanks for your additional hints, but changing the http server isn't a option for me. I have several servers to maintain and I can't see any performance issues in my use cases.BTW I use mod_security (which is truly not the best choice and I have to think about alternatives to mod_security).

Again, I never ask about SSL, if you miss the 's' in my questions: I use HTTP without 's' to simplify the test scenarios. In production I often like to use ACME.

return42 added a commit to return42/searx that referenced this issue Jan 31, 2020
related discussions:

- asciimoo#1822
- asciimoo#1819 (comment)

Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.