Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Documentation : behind a reverse proxy

See original GitHub issue

Here is a code snippet you could include in the documentation reltive to RootUrl https://github.com/domaindrivendev/Swashbuckle#rooturl

I think I am facing a common problem (2 chained reverse proxies) and many users can benefit from this…

    public static string ComputeHostAsSeenByOriginalClient(HttpRequestMessage req)
    {
        if (req.Headers.Contains("X-Forwarded-Host"))
        {
            //we are behind a reverse proxy, use the host that was used by the client
            var xForwardedHost = req.Headers.GetValues("X-Forwarded-Host").First();
            //when multiple apache httpd are chained, each proxy append to the header 
            //with a comma (see //https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers).
            //so we need to take only the first host because it is the host that was 
            //requested by the original client.
            //note that other reverse proxies may behave differently but 
            //we are not taking care of them...
            var firstForwardedHost = xForwardedHost.Split(',')[0];

            //now that we have the host, we also need to determine the protocol used by the 
            //original client.
            //if present, we are using the de facto standard header X-Forwarded-Proto, assuming 
            //that only the first reverse proxy in the chain added it.
            //otherwise, we fallback to http
            //note that this is extremely brittle, either because the first proxy 
            //can "forget" to set the header or because another proxy can rewrite it...
            var xForwardedProto = req.Headers.Contains("X-Forwarded-Proto")
                ? req.Headers.GetValues("X-Forwarded-Proto").First()
                : "http";
            return xForwardedProto + "://" + firstForwardedHost;
        }
        else
        {
            //no reverse proxy mean we can directly use the RequestUri
            return req.RequestUri.Scheme + "://" + req.RequestUri.Authority;
        }
    }

Issue Analytics

State:
Created 7 years ago
Comments:8 (1 by maintainers)

Top GitHub Comments

2reactions

nsdev0commented, May 23, 2019

@ottomatic RequestUri.Authority already contains port number. А non-correct address will be generated because of it, like http://localhost:19292:19292/swagger/docs/v1

1reaction

daffodilisticcommented, Oct 13, 2022

Hi, @ottomatic thanks for the code snippet! It didn’t really work with my configuration, however (ASP.NET MVC app on IIS behind a Caddy reverse proxy). Basically the changes were to use the host portion of the URI instead of authority, and specifying default ports if X-Forwarded-Port is not defined. Here’s the modified code:

static string ComputeHostAsSeenByOriginalClient(HttpRequestMessage req)
{
    var host = req.RequestUri.Host;
    var scheme = req.RequestUri.Scheme;
    var port = req.RequestUri.Port;

    if (req.Headers.Contains("X-Forwarded-Host"))
    {
        // we are behind a reverse proxy, use the host that was used by the client
        var xForwardedHost = req.Headers.GetValues("X-Forwarded-Host").First();

        /*
         When multiple apache httpd are chained, each proxy append to the header
          with a comma (see //https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers).
          so we need to take only the first host because it is the host that was
          requested by the original client.
          note that other reverse proxies may behave differently but
         we are not taking care of them...
         */
        var firstForwardedHost = xForwardedHost.Split(',')[0];

        host = firstForwardedHost;
    }

    if (req.Headers.Contains("X-Forwarded-Proto"))
    {
        /*
         now that we have the host, we also need to determine the protocol used by the
         original client.
         if present, we are using the de facto standard header X-Forwarded-Proto
         otherwise, we fallback to http
         note that this is extremely brittle, either because the first proxy
         can "forget" to set the header or because another proxy can rewrite it...
        */
        var xForwardedProto = req.Headers.GetValues("X-Forwarded-Proto").First();
        if (xForwardedProto.IndexOf(",") != -1)
        {
            // >hen multiple apache, X-Forwarded-Proto is also multiple ...
            xForwardedProto = xForwardedProto.Split(',')[0];
        }

        scheme = xForwardedProto;
    }

    if (req.Headers.Contains("X-Forwarded-Port"))
    {
        var xForwardedPort = req.Headers.GetValues("X-Forwarded-Port").First();
        if (xForwardedPort.IndexOf(",") != -1)
        {
            // When multiple apache, X-Forwarded-Proto is also multiple ...
            xForwardedPort = xForwardedPort.Split(',')[0];
        }

        int.TryParse(xForwardedPort, out port);
    }
    else
    {
        // If port is missing, set port to defaults
        if (("http".Equals(scheme, StringComparison.InvariantCultureIgnoreCase))) port = 80;
        if (("https".Equals(scheme, StringComparison.InvariantCultureIgnoreCase))) port = 443;
    }

    // If we have standard scheme + port, leave out the port in the resulting Url.
    if (("http".Equals(scheme, StringComparison.InvariantCultureIgnoreCase) && port == 80)
        || ("https".Equals(scheme, StringComparison.InvariantCultureIgnoreCase) && port == 443))
    {
        return scheme + "://" + host;
    }

    return scheme + "://" + host + ":" + port.ToString();
}