Mailing List Archive

Source: http://varnish.projects.linpro.no/changeset/1121

It appears it's missing a condition where varnish need to rewrite/append
to the x-forwarded-for header if it already exists in the incoming http
request instead of outputting a new/duplicate header.

This can happen when varnish is behind HTTP based load balancer or proxy.

Xing

In message <451819FA.1060802 at litespeedtech.com>, "xing at litespeedtech.com" write
s:
>Source: http://varnish.projects.linpro.no/changeset/1121
>
>It appears it's missing a condition where varnish need to rewrite/append
>to the x-forwarded-for header if it already exists in the incoming http
>request instead of outputting a new/duplicate header.

According to RFC2616 multiple headers append, they don't replace
each other.

So:
X-Forewarded-for: 10.0.0.2, 10.0.0.3
and
X-Forewarded-for: 10.0.0.2
X-Forewarded-for: 10.0.0.3

should have the same semantic meaning.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

In message <451819FA.1060802 at litespeedtech.com>, "xing at litespeedtech.com" write
s:
>Source: http://varnish.projects.linpro.no/changeset/1121
>
>It appears it's missing a condition where varnish need to rewrite/append
>to the x-forwarded-for header if it already exists in the incoming http
>request instead of outputting a new/duplicate header.

According to RFC2616 multiple headers append, they don't replace
each other.

So:
X-Forewarded-for: 10.0.0.2, 10.0.0.3
and
X-Forewarded-for: 10.0.0.2
X-Forewarded-for: 10.0.0.3

should have the same semantic meaning.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

Did a google search right after the email and realized my mistake. They
are equivalent.

RFC 2616, section 4.2:

Multiple message-header fields with the same field-name MAY be
present in a message if and only if the entire field-value for that
header field is defined as a comma-separated list [i.e., #(values)].
It MUST be possible to combine the multiple header fields into one
"field-name: field-value" pair, without changing the semantics of the
message, by appending each subsequent field-value to the first, each
separated by a comma. The order in which header fields with the same
field-name are received is therefore significant to the interpretation
of the combined field value, and thus a proxy MUST NOT change the
order of these field values when a message is forwarded.

Xing


Poul-Henning Kamp wrote:
> In message <451819FA.1060802 at litespeedtech.com>, "xing at litespeedtech.com" write
> s:
>> Source: http://varnish.projects.linpro.no/changeset/1121
>>
>> It appears it's missing a condition where varnish need to rewrite/append
>> to the x-forwarded-for header if it already exists in the incoming http
>> request instead of outputting a new/duplicate header.
>
> According to RFC2616 multiple headers append, they don't replace
> each other.
>
> So:
> X-Forewarded-for: 10.0.0.2, 10.0.0.3
> and
> X-Forewarded-for: 10.0.0.2
> X-Forewarded-for: 10.0.0.3
>
> should have the same semantic meaning.
>

Did a google search right after the email and realized my mistake. They
are equivalent.

RFC 2616, section 4.2:

Multiple message-header fields with the same field-name MAY be
present in a message if and only if the entire field-value for that
header field is defined as a comma-separated list [i.e., #(values)].
It MUST be possible to combine the multiple header fields into one
"field-name: field-value" pair, without changing the semantics of the
message, by appending each subsequent field-value to the first, each
separated by a comma. The order in which header fields with the same
field-name are received is therefore significant to the interpretation
of the combined field value, and thus a proxy MUST NOT change the
order of these field values when a message is forwarded.

Xing


Poul-Henning Kamp wrote:
> In message <451819FA.1060802 at litespeedtech.com>, "xing at litespeedtech.com" write
> s:
>> Source: http://varnish.projects.linpro.no/changeset/1121
>>
>> It appears it's missing a condition where varnish need to rewrite/append
>> to the x-forwarded-for header if it already exists in the incoming http
>> request instead of outputting a new/duplicate header.
>
> According to RFC2616 multiple headers append, they don't replace
> each other.
>
> So:
> X-Forewarded-for: 10.0.0.2, 10.0.0.3
> and
> X-Forewarded-for: 10.0.0.2
> X-Forewarded-for: 10.0.0.3
>
> should have the same semantic meaning.
>

In message <45181BC8.9020504 at litespeedtech.com>, "xing at litespeedtech.com" write
s:

>Did a google search right after the email and realized my mistake. They
>are equivalent.

One of the possible features for Varnish that has been talked about
is a header-scrubber facility, combining multi-instance headers would
be one obvious part of that task.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.

In message <45181BC8.9020504 at litespeedtech.com>, "xing at litespeedtech.com" write
s:

>Did a google search right after the email and realized my mistake. They
>are equivalent.

One of the possible features for Varnish that has been talked about
is a header-scrubber facility, combining multi-instance headers would
be one obvious part of that task.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.