X-Forwarded-Host can have a comma-separated list #162

kusnier opened this Issue May 16, 2012 · 2 comments


None yet

2 participants

kusnier commented May 16, 2012

The implementation in HttpScriptlet is wrong. (See: 7920930)

Actually the X-Forwareded-Host can have a comma-spearated list.

Apache mod_proxy doc

Be careful when using these headers on the origin server, since they will contain more than
one (comma-separated) value if the original request already contained one of these headers.


Apache Config

<VirtualHost first.dev.lan:81>
  ServerName first.dev.lan
  ProxyPass / http://second.dev.lan:80/
  ProxyPassReverse / http://second.dev.lan:80/

<VirtualHost second.dev.lan:80>
  ServerName second.dev.lan
  ProxyPass / http://localhost:9999/
  ProxyPassReverse / http://localhost:9999/

Start nc with:

nc -l 9999

curl http://first.dev.lan:81

nc Output:

GET / HTTP/1.1
Host: localhost:9999
User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/ libidn/1.23 librtmp/2.3
Accept: */*
X-Forwarded-Host: first.dev.lan:81, second.dev.lan
X-Forwarded-Server: first.dev.lan, second.dev.lan
Connection: Keep-Alive


The X-Forwarded-Host is used to generate a URL with two hosts:

  ('on' == $request->getEnvValue('HTTPS') ? 'https' : 'http').'://'.
  $request->getHeader('X-Forwarded-Host', $request->getEnvValue('HTTP_HOST')).

Possible solution is:

  ('on' == $request->getEnvValue('HTTPS') ? 'https' : 'http').'://'.
  current(explode(', ', $request->getHeader('X-Forwarded-Host', $request->getEnvValue('HTTP_HOST')))).
thekid commented May 16, 2012

Good catch, I think this should go into 5.8.5. Maybe not using currentI(explode(...))) but basically yes.

@thekid thekid added a commit that referenced this issue May 31, 2012
@thekid thekid - Fix "lang.FormatException (Host and/or port malformed)" on multiple…
… entries in X-Forwarded-Host header

# See issue #162
@thekid thekid added a commit that referenced this issue May 31, 2012
@thekid thekid - Add note on fix of issue #162 7e3121e
@thekid thekid closed this May 31, 2012
@thekid thekid was assigned May 31, 2012
thekid commented May 31, 2012

Also merged to xp5_9.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment