Re: Reverse Proxy Header Munging

So, what happens if there is more than one reverse proxy in the chain?

X-Forwarded-For looks like the ip number of the reverse proxy.

X-Forwarded-server looks like the  virtual host (potentially), as you suggest.

What is not clear to me is why Apache can't just pass through the HOST header as
received and use the VIA header to convey the reverse proxy information to the
upstream server.

Why is a reverse proxy any  different than a forward proxy? Shouldn't the
VIA header do the job? Do we really need to differentiate the IP number from
the server domain? Shouldn't the later suffice?

At 22:58 -0700 10/12/03, Mark Nottingham wrote:
>They're X- headers; unofficial, albeit oft-used by reverse proxies (aka surrogates, gateways, etc.). X-Forwarded-For is quite common; X-Forwarded-Host and -Server are, I assume, to account for multiple virtual domains and/or multiple gateways in a farm.
>As to its behaviour, everything that happens between a gateway and the upstream server is between those parties, more or less. These headers are pretty straightforward (although there are some potential security issues), but there are other issues brought about by using a HTTP gateway that's based on proxy software; e.g., those highlighted in
>On Sunday, October 12, 2003, at 08:36  PM, John C. Mallery wrote:
>>I'd like to here what people think about the behavior of the current Apache reverse proxy, which rewrites the host header and adds the three x-forwarded-* headers.
>>What is the status of these x-forwarded-* headers?
>>Are there some specs to which implementations should adhere, or is this an Apache ideosyncracy
>>Client Headers for (HTTP/1.1)
>>:HOST =>  "" 8000
>>:ACCEPT => (:* :*)
>>:ACCEPT-LANGUAGE => (:EN-US . 1) (:JA . 0.33) (:EN . 0.67)
>>:IF-MODIFIED-SINCE => 3187296000
>>:USER-AGENT => "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/85.7 (KHTML, like Gecko) Safari/85.5"
>>:X-FORWARDED-SERVER => "localhost.localdomain"

Received on Wednesday, 15 October 2003 14:47:42 UTC