HTTP Headers: X_FORWARDED_HOST vs HOST

[return42]

When setting up searx behind a reverse proxy configuration (e.g. filtron). We have to set some HTTP Headers. For Apache I posted my reference site here #1819 (comment) ...

I can speak only for Apache (ngnix might be different): When setting the ProxyPass directive, the needed X-Forwarded-.. request headers are set implicit, see Reverse Proxy Request Headers.

I do not have much experience with HTTP, but I wonder: To work correct, searx also needs the Host header fixed to the same value as X-Forwarded-Host. Is this a bug or a feature?

If it is a bug, this would be my patch ..

diff --git a/searx/webapp.py b/searx/webapp.py
index aadefe6b..750ab9c5 100644
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -960,6 +960,9 @@ class ReverseProxyPathFix(object):
         self.app = app
 
     def __call__(self, environ, start_response):
+        http_host = environ.get('HTTP_X_FORWARDED_HOST', None)
+        if http_host:
+            environ['HTTP_HOST'] = http_host
         script_name = environ.get('HTTP_X_SCRIPT_NAME', '')
         if script_name:
             environ['SCRIPT_NAME'] = script_name

I tested the patch and for me it works like a charm . But I have a doubt, because my HTTP and Flask experiences is not much.

[unixfox]

X-Forwarded-Host is hardly ever used nowadays. Most of the reverse proxy override the "Host" HTTP header with the hostname.

PS: By the way, just a personal opinion. Stop using apache, it's slow and vulnerable to attacks like slow loris.
I think you should try caddy webserver. It automatically generates/manages the SSL certificates for you, by default its encryption settings are very good (whereas by default apache still allow TLS 1.0/1.1 which are deprecated since a long time ago) and it's easier to write a configuration file.
Small example from your comment #1819 (comment):

myhost.xxx {
   proxy /searx localhost:4004
     header_upstream X-Script-Name / searx
     transparent
   }
}

[return42]

X-Forwarded-Host is hardly ever used nowadays. Most of the reverse proxy override the "Host" HTTP header with the hostname.

Good to know /Thanks .. with this in mind:

Apache does not overwrite the Host header, you have to set ProxyPreserveHost On for this. But you cant set this value on a Location level. Therefore my patch seems a good solution for Apache and will not break other HTTP server setups (this was my main doubt).

If no one has a veto I send a PR with the patch.

PS: Thanks for your additional hints, but changing the http server isn't a option for me. I have several servers to maintain and I can't see any performance issues in my use cases.BTW I use mod_security (which is truly not the best choice and I have to think about alternatives to mod_security).

Again, I never ask about SSL, if you miss the 's' in my questions: I use HTTP without 's' to simplify the test scenarios. In production I often like to use ACME.

[return42]

obsolete / done by PR #1803