[investigate] Authors can opt-in to auto-setting X-Forwarded headers for proxy request

[danosaure]

Hi,

I've realized that this middleware doesn't add any of the X-Forwarded-* or Forwarded headers. Is this intentional that every one using this should had these themselves?

This is what I have to do (and not totally sure I got it done properly):

        proxyReqOptDecorator(proxyReqOpts, srcReq) {
            const headers = proxyReqOpts.headers;

            // X-Forwarded-Path
            //      We want to keep the original because that's what the browser will use.
            if (!headers['x-forwarded-path']) {
                headers['x-forwarded-path'] = pathConfig.path;
            }

            // X-Forwarded-For
            let remoteAddress = srcReq.connection.remoteAddress;
            if (remoteAddress.match(/:/)) {
                remoteAddress = `[${remoteAddress}]`;
            }
            if (headers['x-forwarded-for']) {
                headers['x-forwarded-for'] = headers['x-forwarded-for'].split(/,\s*/).concat(remoteAddress).join(', ');
            } else {
                headers['x-forwarded-for'] = remoteAddress;
            }

            // X-Forwarded-Host
            if (!headers['x-forwarded-host']) {
                headers['x-forwarded-host'] = srcReq.headers.host;
            }

            // X-Forwarded-Proto
            if (!headers['x-forwarded-proto']) {
                headers['x-forwarded-proto'] = srcReq.protocol;
            }

            // Forwarded
            if (!headers['forwarded']) {
                headers['forwarded'] = [
                    `path=${headers['x-forwarded-path']}`,
                    `for=${headers['x-forwarded-for']}`,
                    `host=${headers['x-forwarded-host']}`,
                    `proto=${headers['x-forwarded-proto']}`
                ].join('; ');
            } else {
                headers['forwarded'] = headers['forwarded'].split(/;\s*/).concat([`for=${remoteAddress}`]).join('; ');
            }

            return proxyReqOpts;
        }

[monkpow]

Currently, the library does not add any headers, but rather simply copies the headers from the req object passed to it.

I can't tell if your concern is its not copying your headers, or you believe that this lib should add them automatically.

[danosaure]

Yes, my concerns is that no "Forward" headers are added by the proxy. But in my case, I just do it because I need those headers that are added by another proxy (testing server without having the proxy installed on my local, thus looking at simple alternatives like this module)

[monkpow]

Interesting. I'm going to dig in a little and see if I can compose a useful standard set that could be added optionally for authors. Do you mind if I use the code sample above as a starting point?

[danosaure]

Please do, if you want to see how I am using it: https://github.com/Quoin/dummy-proxy/blob/master/app.js

And trying to follow: https://tools.ietf.org/html/rfc7239

[bitsal]

I've noticed the same with content-length header for POST request (not sure about other types of requests).

Version: 1.0.7

[monkpow]

Interesting. Content-length is not copied (in either direction) because the author can modify the body. When sending the user response, we compute content-length directly and re-add, but looks like we never did this for the proxy request.

[VoloshinS]

Whoever still struggling with the configuration of X-Forwarded headers, I would recommend using http-proxy-middleware. I've spent the entire day trying to make express-http-proxy sent these headers correctly. And with http-proxy-middleware it was like { xfwd: true } and that's it. 🤦