feat: Option to not trust X-Forwarded-* headers from clients

If header values from a malicious client are passed to the backend server unchecked and unchanged, the client may be able to subvert security checks done by the backend server.
2025-07-01 22:35:45 +00:00 · 2022-03-16 00:59:03 -04:00
parent 5f15f04556
commit 8aa00fcea2
11 changed files with 230 additions and 4 deletions
--- a/test/test_trust-downstream-proxy/test_enabled.py
+++ b/test/test_trust-downstream-proxy/test_enabled.py
@ -0,0 +1,20 @@
+import pytest
+import re
+
+
+@pytest.mark.parametrize('url,header,input,want', [
+    ('http://web.nginx-proxy.tld/headers', 'X-Forwarded-Proto', None, 'http'),
+    ('http://web.nginx-proxy.tld/headers', 'X-Forwarded-Proto', 'f00', 'f00'),
+    ('https://web.nginx-proxy.tld/headers', 'X-Forwarded-Proto', None, 'https'),
+    ('https://web.nginx-proxy.tld/headers', 'X-Forwarded-Proto', 'f00', 'f00'),
+
+    ('http://web.nginx-proxy.tld/headers', 'X-Forwarded-Port', None, '80'),
+    ('http://web.nginx-proxy.tld/headers', 'X-Forwarded-Port', '1234', '1234'),
+    ('https://web.nginx-proxy.tld/headers', 'X-Forwarded-Port', None, '443'),
+    ('https://web.nginx-proxy.tld/headers', 'X-Forwarded-Port', '1234', '1234'),
+])
+def test_downstream_proxy_header(docker_compose, nginxproxy, url, header, input, want):
+    kwargs = {} if input is None else {'headers': {header: input}}
+    r = nginxproxy.get(url, **kwargs)
+    assert r.status_code == 200
+    assert re.search(fr'(?m)^(?i:{re.escape(header)}): {re.escape(want)}$', r.text)