httpd behind proxy

Dave McMurtrie dave64 at andrew.cmu.edu
Thu Jun 21 14:19:04 EDT 2018


On Thu, 21 Jun 2018, Дилян Палаузов wrote:

> Hello,
>
> Nginx being proxy removes the Etag when sub(stutions) are involved 
> (https://forum.nginx.org/read.php?2,242807,242809#msg-242809).
>
> If Nginx is used as proxy and it returns ETags on GET, then most 
> probably the backend runs already on https and has the right hostname, 
> so that nginx doesn't need any rewritings.
>
> Now, if a client sends Forwarded header and httpd, not being behind a 
> reverse proxy, interprets it, replacing the schema and hostname in the 
> answer, e.g the URL: in /freebusy/user/... request, then the behaviour 
> of httpd by interpreting the header will be correct: the client asked 
> for troubles and got troubles.  The troubles however do will not happen 
> if httpd is behind a proxy and the proxy inserts Forwarded, as only the 
> last Forwarded is supposed to be interpreted.  Irgnoring in this case 
> Forwarded, as this is anyway now the case, is also correct.
>
> So I propose removing the checks in imap/http_proxy.c:http_proto_host() 
> for config_mupdate_server and proxyservers.

Wouldn't that break in a murder configuration?  proxyservers is how the 
backend httpd server knows it's an authorized frontend proxy connecting to 
it.

Dave


More information about the Cyrus-devel mailing list