~emersion/kimchi: Don't trust http.Request.URL.Scheme to set Forwarded proto

cd8b11f5fc31b088f2586428e37d4e26c2e68ae7 — Simon Ser 2 months ago 1585a9b master

Don't trust http.Request.URL.Scheme to set Forwarded proto

Instead, use contextTLSState.

patch browse .tar.gz

1 files changed, 9 insertions(+), 2 deletions(-)

M directives.go

M directives.go => directives.go +9 -2

@@ 215,9 215,16 @@ var backends = map[string]parseBackendFunc{
 		proxy := httputil.NewSingleHostReverseProxy(target)
 		director := proxy.Director
 		proxy.Director = func(req *http.Request) {
-			forwarded := fmt.Sprintf("for=%q;host=%q;proto=%q", req.RemoteAddr, req.Host, req.URL.Scheme)
+			proto := "http"
+			if contextTLSState(req.Context()) != nil {
+				proto = "https"
+			}
+
+			forwarded := fmt.Sprintf("for=%q;host=%q;proto=%q", req.RemoteAddr, req.Host, proto)
 			forwardedForHost, _, _ := net.SplitHostPort(req.RemoteAddr)
+
 			director(req)
+
 			// Override reverse proxy header fields: the incoming request's
 			// header is not trusted
 			req.Header.Set("Forwarded", forwarded)


@@ 227,7 234,7 @@ var backends = map[string]parseBackendFunc{
 				req.Header.Del("X-Forwarded-For")
 			}
 			req.Header.Set("X-Forwarded-Host", req.Host)
-			req.Header.Set("X-Forwarded-Proto", req.URL.Scheme)
+			req.Header.Set("X-Forwarded-Proto", proto)
 		}
 		return proxy, nil
 	},