Broken redirects with multiple reverse proxies.

[dli7319]

Describe the bug/problem When using multiple reverse proxies, the host names are entered into the X-Forwarded-Host header. Since this is read as a string, we get 302 redirects with comma-separated locations. This is a duplicate of #1444 which I don't believe was fixed.

In my use case, I have calibre-web behind ingress-nginx and buzzfeed/sso.

To Reproduce Launch calibre-web behind multiple reverse proxies which both append to X-Fowarded-Host

Logfile

Expected behavior After login or logout, I should get redirected to the proper webpage. Instead I get redirected to https://calibre.davidl.me%2Ccalibre.davidl.me.

Screenshots

Environment (please complete the following information):

• OS: Linux
• Python version: unknown
• Calibre-Web version: 0.6.9
• Docker container: linuxserver
• Special Hardware: deployed in Kubernetes
• Browser: Latest Chrome

Additional context In the #1444, it is mentioned that the reverse proxy code is copied from flask documentation. Presumably this is cps/reverseproxy.py. However, the current documentation suggests using some middleware which seemingly does parse X-Forwarded-Host properly.

[dli7319]

Quick fix in cps/reverseproxy.py

        servr = environ.get('HTTP_X_FORWARDED_HOST', '').replace(', ', ',').split(',')
        if servr and sevr[0]:
            environ['HTTP_HOST'] = servr[0]
            self.proxied = True

[robertmx]

I got the exact same problem with using the suggested docker image linuxserver/calibre-web behind an apache reverse proxy. It seems, that the docker image picks up the x-forwarded-for header and breaks the redirect. So the problem in #1444 just got a lot more common, when using the docker image with an external proxy.

[robertmx]

NB: The fix here as mentioned in #1444 is to unset the x-forwarded-for header or apply the patch above by @dli7319 .