You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At work, we recently switched to a set up with an Apache mod_proxy at the edge of our network and then another mod_proxy local to the machine one of our applications is hosted on. This lead to us getting this header back from a Flask app:
And we traced this back to the X-Forwarded-Host header which, when using two Apache mod_proxy instances, can be comma separated. The Django guys had this 5 years ago: https://code.djangoproject.com/ticket/9064 but their solution was to remove support for trusting this header.
In our app we just used RequestHeader unset X-Forwarded-Host in Apache as a work around, but the default behaviour in Werkzeug could probably be improved to just use the first entry if it's comma separated.
Aaron
The text was updated successfully, but these errors were encountered:
I don't think the provided builtin fixers should sacrifice overall performance to cover all edge cases. Writing own fixers to cover the own cases is usually easy enough and makes for better performance too.
Hi,
At work, we recently switched to a set up with an Apache mod_proxy at the edge of our network and then another mod_proxy local to the machine one of our applications is hosted on. This lead to us getting this header back from a Flask app:
Location: http://vooadmin.temp.iweb.co.uk, vooadmin.temp.iweb.co.uk/users/login
And we traced this back to the X-Forwarded-Host header which, when using two Apache mod_proxy instances, can be comma separated. The Django guys had this 5 years ago: https://code.djangoproject.com/ticket/9064 but their solution was to remove support for trusting this header.
In our app we just used
RequestHeader unset X-Forwarded-Host
in Apache as a work around, but the default behaviour in Werkzeug could probably be improved to just use the first entry if it's comma separated.Aaron
The text was updated successfully, but these errors were encountered: