New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http/httputil: ReverseProxy does not strip all hop-by-hop headers #16875
Comments
Should the values be comma-separated, like your example:
Or, space-separated as mentioned in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection#Directives? |
CL https://golang.org/cl/27970 mentions this issue. |
The list should be separated by comma (with optional additional white-space). The |
Thanks for the link. The above CL assumes the tokens are separated with commas with optional white-space. |
CL https://golang.org/cl/27971 mentions this issue. |
Thanks! Please review this https://golang.org/cl/28493 |
CL https://golang.org/cl/28493 mentions this issue. |
Should these entries be scrubbed from the response headers (like the hop-by-hop headers) as well? |
We were already making a copy of the map before removing hop-by-hop headers. This commit does the same for proxied headers mentioned in the "Connection" header. A test is added to ensure request headers are not modified. Updates #16875 Change-Id: I85329d212787958d5ad818915eb0538580a4653a Reviewed-on: https://go-review.googlesource.com/28493 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
CL https://golang.org/cl/28810 mentions this issue. |
…ReverseProxy Hop-by-hop headers (explicitly mentioned in RFC 2616) were already removed from the response. This removes the custom hop-by-hop headers listed in the "Connection" header of the response. Updates #16875 Change-Id: I6b8f261d38b8d72040722f3ded29755ef0303427 Reviewed-on: https://go-review.googlesource.com/28810 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
go version
)?1.6
go env
)?GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build436466338=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="0"
I created a basic reverse proxy:
Then I sent this HTTP request to the proxy (based on an example in the HTTP/2 spec):
According to the
Connection
header,HTTP2-Settings
is a hop-by-hop header, so I expected that the proxy would strip this header before forwarding the request.The
HTTP2-Settings
header (but not theUpgrade
) header was not stripped but was forwarded to the backend server.Stripping hop-by-hop headers was implemented in #2735, but only headers explicitly mentioned in RFC 2616 are removed.
The relevant quote from RFC 7230, section 6.1 is this:
The same requirement was included in RFC 2616, section 14.10.
The text was updated successfully, but these errors were encountered: