x-forwarded-proto has https repeated

spring-projects / spring-boot

Spring Boot helps you to create Spring-powered, production-grade applications and services with absolute minimum fuss.

https://spring.io/projects/spring-boot

Apache License 2.0

75.08k stars 40.67k forks source link

x-forwarded-proto has https repeated #9008

Closed hpeimer closed 7 years ago

hpeimer commented 7 years ago

I have the following architecture:

Google Cloud Load Balancer (https) ----> Api Gateway with Zuul ----> Mobile Service.

The Load Balancer terminates the HTTPS and forwards the request to the Gateway. The Gateway runs Zuul and forwards the request to the Mobile Service.

Issue: The mobile service receives the following header with duplicated value:
x-forwarded-proto=https,https The same request on the Gateway server is correct: x-forwarded-proto=https

The issue occurs with Spring-boot 1.5.3.RELEASE and Spring-Cloud Dalston.RELEASE.

The issue does not exist with Spring-boot 1.4.6.RELEASE and Spring-Cloud Camden.SR6

wilkinsona commented 7 years ago

Given the number of different components involved here, can you explain why you've opened an issue against Spring Boot? In particular, in the interests of avoiding duplicate effort, can you please share any analysis that you have done which tells you the problem is in Spring Boot.

hpeimer commented 7 years ago

It appears there are no references to x-forwarded-proto in the Zuul code so I suspect something in spring-boot.

I've reproduced this with minimalistic code. One server which is Zuul enabled, and redirects to the other (called mobile) which provides a Rest endpoint that displays the header value of x-forwarded-proto.

I used postman to test. Adding a header: X-Forwarded-Proto = http.

By hitting the url: GET http://localhost:8080/mobile/test

This displays: x-formwarded-proto=http,http

When changing the versions of Spring-Boot/Spring-Cloud to previous versions, it works as expected.

Attached is the source.

protobug.zip

wilkinsona commented 7 years ago

Thanks for the sample. As I suspected, this doesn't have anything to do with Spring Boot. The http,http is coming from PreDecorationFilter in Spring Cloud Netflix. It's combination of the header's original value and the request's scheme. Judging by the code, the concatenation of the two is intentional.

/cc @spencergibb and @dsyer to see if there's a need for a Spring Cloud Netflix issue for this.

dsyer commented 7 years ago

Sigh. Looks like we might need to fix it: https://github.com/spring-cloud/spring-cloud-netflix/issues/1895.