mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-31 01:47:33 +02:00
79d5657742
Envoy has an option 'auto_host_rewrite' that rewrites the Host header of an incoming request to match the upstream domain that the proxied request is sent to. Pomerium sets the 'auto_host_rewrite' option for all Pomerium routes that do not set one of the "Host Rewrite options" (see https://www.pomerium.com/docs/reference/routes/headers#host-rewrite-options). When Envoy rewrites the Host header, it does not include the upstream port, even when it is a non-standard port for the scheme (i.e. a port other than 80 for http or a port other than 443 for https). I think this behavior does not conform to RFC 9110. The nearest thing I can find in the text is this statement about http and https URIs: "If the port is equal to the default port for a scheme, the normal form is to omit the port subcomponent." (from https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.3) I take this to mean that the port should be specified in other cases. There is a work-around: we can set an explicit hostname on each cluster endpoint. Let's set this hostname based on the 'to' URL(s) from the Pomerium route. This should change the current behavior in two cases: - When a route has a 'to' URL with a port number, this port number will now be included in the Host header in the requests made by Pomerium. - When a route has a 'to' URL with 'localhost' or an IP address as the host, Pomerium will now rewrite the Host header to match the 'to' URL. There should be no change in behavior for routes where one of the "Host Rewrite options" is set. |
||
|---|---|---|
| .. | ||
| envoyconfig | ||
| testdata | ||
| autocert.go | ||
| autocert_test.go | ||
| codec_type.go | ||
| codec_type_test.go | ||
| config.go | ||
| config_source.go | ||
| config_source_test.go | ||
| constants.go | ||
| crypt.go | ||
| custom.go | ||
| custom_test.go | ||
| doc.go | ||
| from.go | ||
| from_test.go | ||
| helpers.go | ||
| helpers_test.go | ||
| http.go | ||
| http_test.go | ||
| identity.go | ||
| layered.go | ||
| layered_test.go | ||
| log.go | ||
| log_level.go | ||
| metrics.go | ||
| metrics_test.go | ||
| mtls.go | ||
| mtls_test.go | ||
| options.go | ||
| options_check.go | ||
| options_test.go | ||
| policy.go | ||
| policy_ppl.go | ||
| policy_ppl_test.go | ||
| policy_test.go | ||
| session.go | ||
| session_test.go | ||
| trace.go | ||
| trace_test.go | ||
| validate.go | ||