-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpServletRequest.getServerName can include port when using ForwardedRequestCustomizer #5224
Comments
Thanks for filing this issue. But before I get into it I need to do my usual spiel. If you want consistent behavior, you should be using the RFC7239 Since you stated going from Jetty 9.4.18 to 9.4.30 you have progressed through 7 reported issues with As for your reported example testcase ... Your example would result in a Jetty HostPort of I feel that our implementation should throw a BadMessageException and return an error 400 on this invalid header. @gregw what do you think? |
Signed-off-by: Joakim Erdfelt <[email protected]>
Branch Adding port support to |
+ More test cases + Allowing X-Forwarded-Host to parse port (if present properly) Signed-off-by: Joakim Erdfelt <[email protected]>
Opened PR #5226 |
Hi @joakime ,
We have shared this message with some of our customers based on previous 'spiels' we have seen in other Jetty issues 😀 . However based on some of our research, many of the common webservers and load balancers do not natively support setting the Forwarded header. |
Ah, the curse of being sooo good at riding the front wave! 😄 |
@peterlynch please see the commits on PR #5226, especially on the Test cases. You'll see a few things. First, there's a few variations of your headers, in different orders. This is because once
The resolution is ...
resulting authority is But if the order of the headers is different (but the values are not), such as ...
Then the resolution order is ...
Resulting in an authority of There's also a testcase where the So that if you have that
The resolution is ...
resulting in an authority of |
@joakime The tests look good to me - thank you for quickly addressing the issue.
Given that the Host header is allowed to contain a port, my initial reaction to these statements was disagreement. It sounds like support for port inside X-Forwarded-Host has now been added, and thus you have reversed your viewpoint?
Just curious - why does Jetty decide that order of request headers matters? According to https://tools.ietf.org/html/rfc7230#section-3.2.2
|
The The change we made will likely cause us headaches with IPv6 users that don't properly format their IPv6 host addresses in This change we just made is actually against the majority interpretation, and will harm existing IPv6 users that don't properly format their IPv6 addresses for that header value. (they MUST now use IPv6reference ABNF as we no longer support IPv6address ABNF in
Again, this is wholly in "the The behavior you are asking about is what other implementations expect and perform like (this order behavior is especially common on older cloud provider configurations, eg: AWS). To highlight how messed up this is, just look at
In short, there's no |
Signed-off-by: Joakim Erdfelt <[email protected]>
…tiple-ports Issue #5224 X-Forwarded-Host support for port
Jetty version
9.4.30
Java version
Any supported
OS type/version
Any supported
Description
Nexus Repository Manager was upgraded from using Jetty 9.4.18 to 9.4.30.
Customers have reported certain combinations of previously working X-Forwarded-* headers to no longer work. ( https://issues.sonatype.org/browse/NEXUS-25158 ).
It appears a certain combination of X-Forwarded headers can cause HttpServletRequest.getServerName to return a value which is not a host name because it includes a port number. This fails the validation that NXRM does on host name value.
This test case:
Fails with:
We noticed if
X-Forwarded-Port
header is not set, then the test will pass. Still since this was working in 9.4.18, we did not expect this to break on a micro version upgrade.The text was updated successfully, but these errors were encountered: