apprunner-roadmap icon indicating copy to clipboard operation
apprunner-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

Set additional X-Forwarded- Headers

Open paul-e-allen opened this issue 3 years ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do * not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request

The proxy in front of App Runner apps should set a more complete suite of X-Forwarded- HTTP headers. Right now, it looks like only these headers are set:

  • X-Forwarded-For
  • X-Forwarded-Proto

Adding the following headers would allow modern containerized Rails applications to work better behind the App Runner proxy:

  • X-Forwarded-Host
  • X-Forwarded-Port
  • X-Forwarded-Ssl

Additional context

When Rails doesn't have these headers, it causes problems for the CSRF protections automatically baked-in and available in Rails. See https://github.com/rails/rails/issues/22965

Describe alternatives you've considered

It is possible to disable the CSRF features in Rails configuration:

config.action_controller.forgery_protection_origin_check = false

But it doesn't really make sense given that the App Runner proxy already has the necessary information to make the feature work properly.

paul-e-allen avatar Jun 11 '21 13:06 paul-e-allen

Also, X-Forwarded-Proto doesn't actually look to be set properly to 'https', causing havoc with URLs constructed by Rails.

For my containerized Rails application running in App Runner, it sees 'http' for that header:

{
  ...
  "HTTP_X_ENVOY_EXPECTED_RQ_TIMEOUT_MS": "120000",
  "HTTP_X_ENVOY_EXTERNAL_ADDRESS": "1,2,3,4",
  "HTTP_X_FORWARDED_FOR": "1.2.3.4, 10.0.52.230",
  "HTTP_X_FORWARDED_PROTO": "http",
  "HTTP_X_REQUEST_ID": "a5017120-3df9-4b56-92af-0d42da3ccc08"
...
}

That output generated by this controller code:

  def show_headers
    http_envs = {}.tap do |envs|
      request.headers.each do |key, value|
        envs[key] = value if key.downcase.starts_with?('http')
      end
    end
    render :json => http_envs
  end

And this URL: https://XXXXXXXXXX.us-east-1.awsapprunner.com/ping/headers

paul-e-allen avatar Jun 11 '21 14:06 paul-e-allen

Hi @paul-e-allen , Thanks for reporting. We have fixed the X-Forwarded-Proto header; it is now set to "https" as it should. We'll evaluate the additional extension header asks. Thank you!

ofiliz avatar Sep 23 '21 17:09 ofiliz

This functionality is a requirement for some services - I just tried to run an auth server on App Runner, and understandably it wants to see the Host header. That software does have the ability to be configured to use a different header, so if I could pass an X-Forwarded-Host to it that would enable that application to be run. As it stands, I'll probably need to find a different service to run my use case on.

Alexei-Barnes avatar May 20 '22 15:05 Alexei-Barnes

I am with @Alexei-Barnes on this one. Having at least the x-forwarded-host at hand makes total sense for applications who rely on the host to identify traffic.

fforootd avatar May 20 '22 15:05 fforootd

Where are we with this feature ? I need to get access to the host from the headers. My AppRunner is private and it's fronted by ApiGateway. I have enabled the headers forwarding from ApiGateway

atali avatar Jun 08 '23 15:06 atali