search

Pylons / waitress

Waitress - A WSGI server for Python 3
https://docs.pylonsproject.org/projects/waitress/en/latest/
Other
1.44k stars 164 forks source link

multiple values for X-Forwarded-Proto #442

Closed RonaldinhoL closed 1 month ago

RonaldinhoL commented 1 month ago

Malformed proxy header "X-Forwarded-Proto" from "21.0.0.1": Unspecified behavior for multiple values found in header value: https, https

in fact when forwared by mutil server, multiple values for X-Forwarded-Proto should be valid value

kgaughan commented 1 month ago

X-Forwarded-Proto is an unofficial header, but if you accept the MDN definition of the header, it can only have one value. This makes sense: if it could have multiple values, it'd be ambiguous as some of the hops might use HTTPS and others HTTP.

The bug is in how you're doing request forwarding: only the outermost host, likely a proxy or load balancer, should be setting X-Forwarded-Proto, and downstream hosts should not modify or append values to it.

RonaldinhoL commented 1 month ago

i use cloudflare and a cloud provider, they both add X-Forwarded-Proto i guess, can we do extract the first one instead raise a exception?

kgaughan commented 1 month ago

That's really an issue for upstream of waitress. The cloud provider is incorrectly modifying the X-Forwarded-Proto header. I would guess that you need to look at the LB configuration you have configured to prevent it from doing so.

digitalresistor commented 4 weeks ago

If you can get your proxy to use the Forwarded header instead, that would be a better idea.