Closed RonaldinhoL closed 1 month ago
X-Forwarded-Proto
is an unofficial header, but if you accept the MDN definition of the header, it can only have one value. This makes sense: if it could have multiple values, it'd be ambiguous as some of the hops might use HTTPS and others HTTP.
The bug is in how you're doing request forwarding: only the outermost host, likely a proxy or load balancer, should be setting X-Forwarded-Proto
, and downstream hosts should not modify or append values to it.
i use cloudflare and a cloud provider, they both add X-Forwarded-Proto i guess, can we do extract the first one instead raise a exception?
That's really an issue for upstream of waitress. The cloud provider is incorrectly modifying the X-Forwarded-Proto header. I would guess that you need to look at the LB configuration you have configured to prevent it from doing so.
If you can get your proxy to use the Forwarded
header instead, that would be a better idea.
Malformed proxy header "X-Forwarded-Proto" from "21.0.0.1": Unspecified behavior for multiple values found in header value: https, https
in fact when forwared by mutil server, multiple values for X-Forwarded-Proto should be valid value