Provide a default Host header when it's missing/empty

[Tratcher]

RE: microsoft/ApplicationInsights-aspnetcore#278

HTTP/1.0 requests do not provide Host headers, and HTTP/1.1 requests are required to provide it but it may be empty. This causes failures for components like loggers that want to describe the request with a Uri, or middleware that create absolute links like redirect-to-https. This is a protocol level problem that applies to supported servers.

Proposal: Hosting can provide a default host setting (from config) and apply it whenever the host header is missing or empty. This would happen right when the request is received and before any diagnostics take place:
https://github.com/aspnet/Hosting/blob/9f1e6607dd1b3d15bc6c42146629677c6b455fd0/src/Microsoft.AspNetCore.Hosting/Internal/HostingApplication.cs#L35-L37

Updated proposal
In the absence of config, inspect IServerAddresses for a url that matches the request scheme and port. The new Https redirect middleware does something similar:
https://github.com/aspnet/BasicMiddleware/blob/dd038387285bf9fa8dc52910ef762b9843ff22e4/src/Microsoft.AspNetCore.HttpsPolicy/HttpsRedirectionMiddleware.cs#L122-L139

Workarounds:

• The same logic could be applied via middleware but it wouldn't help these early diagnostic code paths.
• All consumers would need to be aware of the possibility of a missing host and provide some fallback logic. For loggers this isn't too bad, they could leave it out or substitute "unspecified", but redirect-to-https would have no default recourse.

[charlessolar]

As noted in other thread this would fix issues related to using HaProxy and aspnetcore - would like to have a fix sooner rather than later as its a slightly big problem for me right now.

All health checks from HaProxy are failing by default - currently investigating workarounds.. including having haproxy use http/1.1 or disabling logging somehow

Workaround for HaProxy is like so:

option  httpchk GET /health HTTP/1.1\r\nHost:\ www

or if like me you are using marathon-lb as part of DCOS then you should label your service like this:

"HAPROXY_0_BACKEND_HTTP_HEALTHCHECK_OPTIONS": "  option  httpchk GET {healthCheckPath} HTTP/1.1\\r\\nHost:\\ www\n  timeout check {healthCheckTimeoutSeconds}s\n"

[davidfowl]

@Volak you can work around the issue right now by implementing your own IHttpContextFactory and setting the host header same as the above is proposing.

[muratg]

cc @glennc

[Tratcher]

Note to self, Host includes a port that's scheme specific. In a reverse proxy scenario we would not know what that port would be, nor would Hosting be aware of the public scheme as forwarders would not be applied yet. Should apps rely on x-forwarded-host to override the default value in that scenario?

If the config value does not include a port then Hosting can add one by looking at the local port.

[Drawaes]

Note to you. Any 1/2 decent reverse proxy with rewrite said header if it's an issue

[Tratcher]

@glennc I found a way to provide an default host value. See the updated proposal above.

[davidfowl]

Would that happen on every request?

[Tratcher]

Only requests without a host header, and there'd be room for caching.

[muratg]

Bringing back to triage

[Tratcher]

@glennc @shirhatti this feature is more relevant for HTTP/2 where the Host/Authority is optional.