Incorrect forward header handling

[neclimdul]

The problem

This line has incorrectly triggers an error when receiving multiple forward headers. https://github.com/home-assistant/core/blob/d88487e30be24f32a99d958ebb7de597f17710a1/homeassistant/components/http/forwarded.py#L114-L119

This causes failures on reasonably common and valid setups leading to bug reports.

https://github.com/home-assistant/core/issues/108982

Maybe others? There seem to be some discussions that sounds like they are running into this.

The problem happens when you have multiple reverse proxies. For example a WAF/CDN like cloud flare plus an edge router to handle NAT complexity on a home Network.

Cloudflare -> firewall NAT to reverse proxy -> HA

for some reverse proxies, this still isn't a problem because they'll combine the ips into a list but this isn't a requirement.

This fact and the logic for it is to combine the lists, appending the later headers on.

This documented in the forwards rfc for the standardized field

A proxy server that wants to add a new "Forwarded" header field value can either append it to the last existing "Forwarded" header field after a comma separator or add a new field at the end of the header block.

As well as the MDN documentation for the defacto standard this code is looking at.

There may be multiple X-Forwarded-For headers present in a request. The IP addresses in these headers must be treated as a single list, starting with the first IP address of the first header and continuing to the last IP address of the last header. There are two ways of making this single list:

join the X-Forwarded-For full header values with commas and then split by comma into a list, or
split each X-Forwarded-For header by comma into lists and then join the lists

It is insufficient to use only one of multiple X-Forwarded-For headers.

What version of Home Assistant Core has the issue?

core-2024.9.1

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

No response

Link to integration documentation on our website

No response

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

[neclimdul]

For clarity, haproxy is on such proxy that appends a header. This is the default reverse proxy built into pfsense and opnsense with GUI controls and letsencrypt integration.

[home-assistant[bot]]

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `http` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign http` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

http documentation http source _{^{(message by IssueLinks)}}