middleware/proxy_headers.py
: Inconsistent x-forwarded-proto
for websockets
#1935
Labels
middleware/proxy_headers.py
: Inconsistent x-forwarded-proto
for websockets
#1935
Discussed in #1933
Originally posted by 1997cui April 9, 2023
Hi,
I recently noticed a potential bug in the
proxy_headers.py
middleware:The problem
Upstream reverse proxy (i.e. Caddy or Nginx Check scheme variable ) always puts
http
orhttps
inx-forwarded-proto
, even if the request has anUpgrade header
and is a WebSocket. This behavior complies with the protocolThe
proxy_headers.py
passes the value along into thescope["scheme"]
, even if it is a Websocket. This is not correct. According to the spec, the scheme should be eitherws
orwss
.https
orhttp
inwebsocket
type cause routing errors.A minimal proof of concept
app.py
Caddyfile
Run it
gunicorn app:app --worker-class uvicorn.workers.UvicornWorker --bind 127.0.0.1:5000 --forwarded-allow-ips="*"
Result
wscat -c "wss://slu.t.cuitian1.com/test" error: Unexpected server response: 403
gunicorn app:app --worker-class uvicorn.workers.UvicornWorker --bind 127.0.0.1:5000 --forwarded-allow-ips=""
result
The text was updated successfully, but these errors were encountered: