Closed steffkes closed 7 years ago
@steffkes
In the haproxy script that generates the haproxy configuration, it automatically adds reqadd X-Forwarded-Proto:\ <http/https>
instruction, based on whether the frontend uses SSL or not. SKIP_FORWARDED_PROTO
is added because some users don't like this auto-generated header.
As to remove any headers that comes from the user request, it is up to the the user to manage it. As you said, yes, a user can use EXTRA_FRONTEND_SETTINGS_<PORT>
to do it, which is more like a generic way to solve problems.
If you think it is worth to create a set of Env vars to fulfill the needs, a PR is always welcomed.
Thank you
@tifayuki i know, i've read through the configs as well as the scripts that generate them :)
i was just surprised, that we have an option to not add the headers on the request .. but none to remove incoming headers.
since this is used in production as well, and not only meant for debugging .. this is one of the first things i was looking after, to avoid any problems because the client is able to pass through information that is relevant for the question how to handle the request.
which led me to think that stripping incoming headers is a more common case than other things we do have an option for. once you have the EXTRA_FRONTEND_SETTINGS
going, it's perfectly fine of course as well.
so instead of simply asking an option, just because i was needing (or rather expecting) it .. i wanted to ask how others think about - don't need to add it, just because ;>
-Stefan
Looks no ones has options on this, close the issue at the moment
Just started using
dockercloud-haproxy
, mainly for SSL-Termination. First thing i've noticed is, that there is an optionSKIP_FORWARDED_PROTO
that (as the name implies) does not add a separate header, just assuming it operates behind another load balancer that already did that.what i'm missing is an option to strip any incoming
X-Forwarded-Proto
header, because otherwise the client would be able to supply malicious information to my application. obviously you can help yourself already by using extra settings like:EXTRA_FRONTEND_SETTINGS_<PORT>: reqidel ^X-Forwarded-Proto:.*
at least i'd expect to have an option for it .. so i'd be interested in what others think about this? if there is interested - or at least no rejection - i'd try and come up with a PR for it.
WDYT?