nic-6443 commented on code in PR #12551: URL: https://github.com/apache/apisix/pull/12551#discussion_r2347759756
########## apisix/init.lua: ########## @@ -599,6 +587,54 @@ function _M.handle_upstream(api_ctx, route, enable_websocket) end +local function handle_x_forwarded_headers(api_ctx) + local addr_is_trusted = trusted_addresses_util.is_trusted(api_ctx.var.realip_remote_addr) + + if not addr_is_trusted then + -- store the original x-forwarded-* headers + -- to allow future use by other plugins or processes + api_ctx.var.original_x_forwarded_proto = api_ctx.var.http_x_forwarded_proto + api_ctx.var.original_x_forwarded_host = api_ctx.var.http_x_forwarded_host + api_ctx.var.original_x_forwarded_port = api_ctx.var.http_x_forwarded_port + api_ctx.var.original_x_forwarded_for = api_ctx.var.http_x_forwarded_for + + local proto = api_ctx.var.scheme + local host = api_ctx.var.host + local port = api_ctx.var.server_port + + api_ctx.var.http_x_forwarded_proto = proto + api_ctx.var.http_x_forwarded_host = host + api_ctx.var.http_x_forwarded_port = port + api_ctx.var.http_x_forwarded_for = nil + + -- override the x-forwarded-* headers to the trusted ones + core.request.set_header(api_ctx, "X-Forwarded-Proto", proto) + core.request.set_header(api_ctx, "X-Forwarded-Host", host) + core.request.set_header(api_ctx, "X-Forwarded-Port", port) + -- later processed in ngx_tpl by `$proxy_add_x_forwarded_for` + core.request.set_header(api_ctx, "X-Forwarded-For", nil) + end +end + + +local function update_var_x_forwarded_headers(api_ctx) Review Comment: I suggest renaming this function to `set_upstream_x_forwarded_headers` because the ultimate purpose of updating these `ctx.var` is to update the headers sent upstream. Just like the previous function named `set_upstream_headers`, using a name like `update_var...` makes it hard to know that it's for updating headers sent upstream without looking at specific variable usage. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
