httpd behind proxy

Дилян Палаузов Dilyan.Palauzov at aegee.org
Sun Jun 24 05:26:22 EDT 2018


Hello Dave,

to what I see the Forwarded header is used by httpd only to generate correct URLs in the responses.

Moreover, adding for= to Forwarded: in write_forwarding_hdrs, that is never used, is kind of overengineering.

Greetings
  Дилан

On June 21, 2018 8:19:04 PM GMT+02:00, Dave McMurtrie <dave64 at andrew.cmu.edu> wrote:
>On Thu, 21 Jun 2018, Дилян Палаузов wrote:
>
>> Hello,
>>
>> Nginx being proxy removes the Etag when sub(stutions) are involved 
>> (https://forum.nginx.org/read.php?2,242807,242809#msg-242809).
>>
>> If Nginx is used as proxy and it returns ETags on GET, then most 
>> probably the backend runs already on https and has the right
>hostname, 
>> so that nginx doesn't need any rewritings.
>>
>> Now, if a client sends Forwarded header and httpd, not being behind a
>
>> reverse proxy, interprets it, replacing the schema and hostname in
>the 
>> answer, e.g the URL: in /freebusy/user/... request, then the
>behaviour 
>> of httpd by interpreting the header will be correct: the client asked
>
>> for troubles and got troubles.  The troubles however do will not
>happen 
>> if httpd is behind a proxy and the proxy inserts Forwarded, as only
>the 
>> last Forwarded is supposed to be interpreted.  Irgnoring in this case
>
>> Forwarded, as this is anyway now the case, is also correct.
>>
>> So I propose removing the checks in
>imap/http_proxy.c:http_proto_host() 
>> for config_mupdate_server and proxyservers.
>
>Wouldn't that break in a murder configuration?  proxyservers is how the
>
>backend httpd server knows it's an authorized frontend proxy connecting
>to 
>it.
>
>Dave


More information about the Cyrus-devel mailing list