httpd behind proxy
Ken Murchison
murch at fastmail.com
Wed Jun 20 13:10:45 EDT 2018
On 06/20/2018 12:23 PM, Dilyan Palauzov wrote:
> Hello,
>
> I want to run cyrus-httpd behind proxy, making it to listen to
> 127.0.0.3:80. It then sends on /freebusy/user/me URL:
> http://127.0.0.3/freebusy/user/me , which I don't want. If I tweak
> the front-end, nginx, to rewrite 127.0.0.3 -> my hostname, Nginx is
> smart enogh and removes the ETags sent by cyrus/httpd, so this
> approach does not work.
>
> Then I decided to insert "Forwarded: host=my host; proto=https"
> header, however imap/http_proxy.c:http_proto_host handles the
> Forwarded header only
>
> if (config_mupdate_server &&
> config_getstring(IMAPOPT_PROXYSERVERS) &&
> (fwd = spool_getheader(req_hdrs, "Forwarded"))) {
> /* Proxied request - parse last Forwarded header for proto and
> host */
>
> What is the rationale behind interpreting Forwarded only when
> mupdate_server and proxyservers are set?
I don't recall if I had any specific reason in mind when I added that
check. The downside of removing the check is that a client can do as
you plan to and can cause the server to change URLs in replies. I'm not
a security expert, but this seems like something we don't allow a client
to do.
I know that we (FastMail) run Cyrus behind nginx and this hasn't become
an issue, unless our ops guys have patched Cyrus or found a different
way to handle this in Nginx. Bron may know, once he wakes up.
--
Ken Murchison
Cyrus Development Team
FastMail US LLC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: murch.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.andrew.cmu.edu/pipermail/cyrus-devel/attachments/20180620/c7c8f8d1/attachment.vcf>
More information about the Cyrus-devel
mailing list