Redirect to https depends on Source IP

[timo-42]

I'm not sure if this is intended behavior or not, but the HTTP Scheme of the location header is different depending on the Source IP(https vs http):

curl -I -H 'x-forwarded-proto: https' localhost:8000/hello_world
HTTP/1.1 308 PERMANENT REDIRECT
Server: gunicorn
Date: Mon, 22 Apr 2024 16:44:38 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 257
Location: https://localhost:8000/hello_world/

curl --interface '192.168.0.144' -I -H 'x-forwarded-proto: https' localhost:8000/hello_world
HTTP/1.1 308 PERMANENT REDIRECT
Server: gunicorn
Date: Mon, 22 Apr 2024 16:45:04 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 255
Location: http://localhost:8000/hello_world/

How to reproduce:

echo "from flask import Flask
app = Flask(__name__)

@app.route('/hello_world/')
def hello_world():
    return 'Hello, World!'" > hello.py
pip install flask gunicorn
gunicorn 'hello:app'

[pajod]

Assuming your first example demonstrates a source IPv4 of 127.0.0.1, this is documented and intended behaviour. The X-FORWARDED-PROTO is only used when sent by a permissible forwarder, as configured by forwarded_allow_ips.

[timo-42]

Thank you for the fast feedback. I took a while to find this Issue in combination with the linked Istio Change. It would be nice if there was a better, HTTP Return message like:
The request is not coming from a trusted source, do not switch HTTP scheme to https.