As specified in RFC 7239 (and documented on MDN), parameters from the Forwarded header are optional. Having a Forwarded header does not imply having a forwarded host value in it. For this reason, even if a Forwarded header is present, it is still needed to check for additional values provided by the X-Forwarded-* header family, when one is missing from the Forwarded header.

The problem was encountered in a real case scenario where a request passing through a proxy reached our server with the following headers:

Forwarded: for=1.2.3.4; by=Akamai-Nevada
X-Forwarded-Proto: https
X-Forwarded-Host: example.com
X-Forwarded-Port: 443
X-Forwarded-For: 1.2.3.4

Our use of the server.forward-headers-strategy=framework Spring Boot property that activates the ForwardedHeaderFilter usage makes the HttpServletRequest to provide the following values:

httpServletRequest.getScheme() ==> http
httpServletRequest.getServerName() ==> localhost
httpServletRequest.getServerPort() ==> 64511 (random value)

Our expectation would be to have instead:

httpServletRequest.getScheme() ==> https
httpServletRequest.getServerName() ==> example.com
httpServletRequest.getServerPort() ==> 443

Comment From: pivotal-cla

@jmesny Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

Comment From: pivotal-cla

@jmesny Thank you for signing the Contributor License Agreement!

Comment From: rstoyanchev

@jmesny, did the proxy create both standard and non-standard headers, or were they added by different proxies? It's a bit unclear how this came about, and I think it's important to try and address the issue further upstream rather than take all headers and merge them at our level.

This is especially the case due to security concerns. We have this warning in our docs that we are not in a good position to judge whether such headers came from a trusted proxy or from external clients, and recommend that such concerns be dealt with by a proxy where that is known. They should also be sorting out the headers to ensure consistent use of standard or non-standard ones.

Note that the spec recommends in section 7.4 that proxies should be converting non-standard headers to "Forwarded".

Comment From: rstoyanchev

Closing due to lack of feedback.