Item14544: SCRIPTURL breaks when X-FORWARDED-HOST has multiple values.

In a setup with e.g. multiple reverse proxies or load balancers, it can happen that the X-FORWARDED-HOST request header contains multiple values, separated by a comma and space. In this case, URLs generated with SCRIPTURL are broken.

This could be worked around by enabling {ForceDefaultUrlHost}, but this conflicts with our need to be able to reach the Foswiki on different domains.

-- AdrianHolfter - 27 Nov 2017

We have a setting - $Foswiki::cfg{PROXY}{UseForwardedForHeader}. We should probably add an equivalent $Foswiki::cfg{PROXY}{UseForwardedHostPortHeader}. And apply the first in list of both Hostname and Port when building the URL. (Oops... this is a planned enhancement for Foswiki 2.2, not in released code yet.)

The Bootstrap code does process FORWARDED-HOST but without splitting it.

The Foswiki 2.2 features are part of Item14380. It obviously needs some additional work. Looks like we need to properly handle X-Forwarded-Proto, X-Forwarded-Port, X-Forwarded-Host and X-Forwarded-For. Only Forwarded-Host and Forwarded-For seem to have any consistent use. I've found other packages, drupal, etc. with activity discussing these headers. We discussed this at today's Release meeting. We should centralize parsing of the X-Forwarded-* headers into a utility routine somewhere, so that Foswiki->getScriptUrl(), Foswiki::Request->url(), Foswiki::Configure::Bootstrap and the various Engines treat these headers consistently.

-- GeorgeClark - 27 Nov 2017

A partial fix for this will be in 2.1.5. - Bootstrap, and Foswiki::Request should now properly splilt the X-Forwarded-Host and will use the first entry.

The complete fix for Forwarders support will be in 2.2.

-- GeorgeClark - 08 Dec 2017

Commenting is disabled while not logged in