New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working #53423
Comments
The actual issue lies in the
go/src/net/http/httputil/reverseproxy.go Line 246 in 9068c68
Line 380 in 9068c68
I added a debug output before and after the
So it looks like the This can be a privacy issue because currently golang is leaking the original client ip to the end targets even if the header is set to nil to prevent that |
Seems to be working? https://go.dev/play/p/ME0dFW6gT1g |
Nope. Here is a short play to demonstrate the underlying issue:
The Here is also some pseudocode for an http handler that forwards the request using
If you add the debug statements on the clone method mentioned in the comment, you can see that the header value is not nil after cloning |
Maybe, but the comment does not say this exactly, it only mentions the header value needs to be nil
I also think the |
Given that |
Change https://go.dev/cl/412857 mentions this issue: |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
In #38079 a check was added to not leak the IP if the
X-Forwarded-For
header is nil.Doing this does not seem to work as it always return an empty string slice
Output:
What did you expect to see?
The header is not added
What did you see instead?
The IP header is always added as it seems impossible to set the value to
nil
go/src/net/http/httputil/reverseproxy.go
Line 301 in 9068c68
The text was updated successfully, but these errors were encountered: