Skip to content

Add scheme matcher for routing on TLS state#97

Merged
tigerwill90 merged 1 commit into
masterfrom
feat/scheme-matcher
Apr 26, 2026
Merged

Add scheme matcher for routing on TLS state#97
tigerwill90 merged 1 commit into
masterfrom
feat/scheme-matcher

Conversation

@tigerwill90
Copy link
Copy Markdown
Collaborator

@tigerwill90 tigerwill90 commented Apr 25, 2026
edited
Loading

Summary

Adds a new built-in matcher to the existing list (alongside header, query, client IP) for routing on the request scheme.

The match is derived from r.TLS only. We deliberately don't look at r.URL.Scheme because Go populates it from the request-line, which a client can set to anything via the HTTP/1.1 absolute-form (RFC 7230 §5.3.2). For example, sending GET https://anything/path HTTP/1.1 over plain TCP is a valid request that lands on the server with r.URL.Scheme == "https" while r.TLS == nil. Same reasoning for X-Forwarded-Proto: it can be spoofed unless the application validates it within a trust boundary (e.g. trusted proxy list). When that's needed, users can write their own Matcher and decide where the trust comes from.

Example

f.Add(fox.MethodGet, "/admin", adminHandler, fox.WithSchemeMatcher("https"))

@tigerwill90 tigerwill90 requested a review from pawndev April 25, 2026 22:08
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 25, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@tigerwill90 tigerwill90 merged commit 69eca44 into master Apr 26, 2026
4 checks passed
@tigerwill90 tigerwill90 deleted the feat/scheme-matcher branch April 26, 2026 09:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pawndev pawndev pawndev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tigerwill90 @pawndev