Skip to content

/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: Host headers with ports never match routes in ServeMux #10463

Closed
jmhodges opened this issue Apr 15, 2015 · 2 comments

Comments

Assignees

@bradfitz bradfitz

Labels
FrozenDueToAge
Projects
None yet
Milestone
  Go1.9
5 participants
@jmhodges @rsc @gopherbot @bradfitz @ianlancetaylor
@jmhodges
Copy link
Contributor

commented Apr 15, 2015

So, in https://howsmyssl.com (jmhodges/howsmyssl), we redirect all incoming requests that don't match the domain www.howsmyssl.com to the correct domain. This captures folks typing in howsmyssl.com and also folks coming in from the howsmytls.com domains that are not yet used, etc.

That is, it uses code like

m.Handle("www.howsmyssl.com/", doSomething)
m.Handler("/", redirectToDomain("www.howsmyssl.com"))

However, it appears that there are some clients that include the port in HTTPS requests and, on redirect, always re-include the port from the first request's Host header. Those requests will fall into a redirect loop with the above code. For instance, curl will just reuse a user-supplied Host header

$ curl -L -H'Host: example.com:443' https://example.com/
 curl: (47) Maximum (50) redirects followed

This has caused a user to create a bug against howsmyssl because certain libraries and tools can't avoid re-including the port and fall into redirect loops.

So, I tried to fix this with routing by adding

m.Handle("www.howsmyssl.com:443/", doSomething)

to the code. However, it seems http.ServeMux will never match the port included in the route and, instead, only uses the incoming URI's host (not the Host header).

One might say to just 404 in the default case, but this will just cause the Host: www.howsmyssl.com:443 requests to 404, instead.

I have a gross hack to strip the port from all incoming requests' Host headers, before it hits the muxer, but this problem seems like one common to a lot of HTTPS services and could be better handled there.

Stripping all ports from Host headers seems ill-advised, but adding ports as a part of the muxer seems like it would work okay.

@jmhodges jmhodges referenced this issue Apr 15, 2015

Closed

Unnecessarily redirects when port is in `Host` header #25

@ianlancetaylor ianlancetaylor added this to the Go1.5Maybe milestone Apr 15, 2015

@ianlancetaylor ianlancetaylor assigned bradfitz Apr 15, 2015

@rsc

This comment has been minimized.

Sign in to view
Copy link
Contributor

commented Jun 29, 2015

Too late for Go 1.5. If this is going to be fixed in a later round, I suggest stripping the port in the (*ServeMux).Handler method just before invoking mux.handler. That is, drop the port in the argument to mux.handler but leave the request alone.

@rsc rsc modified the milestones: Unplanned, Go1.5Maybe Jun 29, 2015

@jmhodges jmhodges referenced this issue Sep 25, 2015

Merged

enforce HTTPS #322

@bradfitz bradfitz modified the milestones: Go1.9, Unplanned Dec 8, 2016

@gopherbot

This comment has been minimized.

Sign in to view
Copy link

commented Mar 15, 2017

CL https://golang.org/cl/38194 mentions this issue.

@gopherbot gopherbot closed this in f1e8803 Mar 24, 2017

@kennygrant kennygrant referenced this issue Jan 5, 2018

Closed

net/http: document and test behavior of ServeMux with ports #23351

@golang golang locked and limited conversation to collaborators Mar 24, 2018

@gopherbot gopherbot added the FrozenDueToAge label Mar 24, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.