Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14874

It would be nice if the x-forwarded-* option was able to parse the comma-separated string and use the first (outermost) proxy host name.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 6.5.0
    • Fix Version/s: 6.0.1, 6.5.3, 7.0.0, 5.5.2
    • Component/s: None
    • Labels:
    • Sprint:
      AM Sustaining Sprint 64, AM Sustaining Sprint 65
    • Story Points:
      3
    • Needs backport:
      No
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      When there are multiple apache2 proxies (and presumably other proxy servers as well) in front of OpenAM, the X-Forwarded-Host header will contain a comma-separated list of host names that were forwarded. This causes the .well-known OIDC endpoint to have a malformed urls in the endpoints when X-forwarded-* BaseURL service option is used: 

      "authorization_endpoint": "https://host1.domain, host2.domain/am/oauth2/realms/root/realms/myrealm/authorize"

      The Base URL service does not have options to use x-forwarded-for (static value, x-forwarded-*, host, or custom). That x-forwarded-for value also gets appended as the request goes through multiple layers of proxies, but is not useful for this as it is the hostname of the proxy server instance, and probably not the load balanced hostname accessd by the user (that would be x-forwarded-host).

      The BaseURL option for "x-fowarded-*" as delivered appends the x-forwarded-proto with the x-forwarded-host. It has no options other than that. This is the basis of my RFE - that it would be useful for the option to rather than blindly taking the 2 header values and appending them together to make a url (that may be invalid if host is a list), to parse the multiple value host, and either select the first value, or possibly allow the admin to specify the index of the value to use in the list.

      Reference:  https://httpd.apache.org/docs/2.4/mod/mod_proxy.html


      The different X-Forwarded-* header fields are listed below (Taken from MDN web docs):

      • X-Forwarded-For : Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or a load balancer.
      • X-Forwarded-Host : Identifies the original host requested that a client used to connect to your proxy or load balancer.
      • X-Forwarded-Proto : Identifies the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.

       


      • Options

       

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              ashley.hale Ashley Hale
            • Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: