#26037: HttpRequest.get_host() uses either HTTP_X_FORWARDED_HOST or HTTP_X_FORWARDED_PORT => should use both -------------------------------+-------------------------------------- Reporter: benoitbryon | Owner: nobody Type: Bug | Status: new Component: HTTP handling | Version: 1.9 Severity: Normal | Resolution: Keywords: | Triage Stage: Unreviewed Has patch: 0 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 0 Easy pickings: 0 | UI/UX: 0 -------------------------------+--------------------------------------
Comment (by mattrobenolt): Hm, this is a bit tricky. The HTTP_HOST header typically includes the port number as well, so I'd expect X-Forwarded-Host to include this information. So in my opinion, X-Forwarded-Host would supersede the use of X-Forwarded- Port. But in the real world, I've never actually seen this. If I were doing this in nginx, I'd have a rule like: {{{ proxy_set_header X-Forwarded-Host $host; }}} And this would give you the value of the HTTP_HOST header from the client, which would already include the port number since this is what's sent along from clients. I guess the argument could be made that the value of X-Forwarded-Port, in theory, could be used to override this? For the case of multiple proxies or something. But again, I've never seen this case in practice. I'd vote to just document that X-Forwarded-Host takes priority over X -Forwarded-Port imo. If someone needs some other crazy logic, it's not hard to implement your own. I see this most often done in middlewares anyways to mutate the META dict to coerce everything to behave as they want. Now technically, in theory, you can construct an HTTP request that doesn't include the port number in the HTTP_HOST, but this is going against the spec: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23 Given that the spec requires this, I think it's fair to assume that X -Forwarded-Host should as well contain the port number. Overall, this is only a problem if the port specified in X-Forwarded-Host differed from what was passed through to X-Forwarded-Port, and in which case, I can't think of when that would happen. So I'm open to hearing a scenario where this may happen. -- Ticket URL: <https://code.djangoproject.com/ticket/26037#comment:4> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/069.5907ebde09927ace6fd767d50ca9b781%40djangoproject.com. For more options, visit https://groups.google.com/d/optout.