X-Forwarded-Proto / X_FORWARDED_PROTO

Iñaki Baz Castillo ibc at aliax.net
Sat Jan 9 17:33:41 EST 2010

El Sábado, 9 de Enero de 2010, skaar escribió:
> Eric,
> think I came across an issue with the parser in unicorn, with a request
> (due to 2 layers of nginx proxying) coming across with both a
> X_FORWARDED_PROTO and a X-Forwarded-Proto header. From the socket (in
> HttpRequest) - we get:
>   X-Forwarded-Proto: https
> which is parsed to
>   HTTP_X_FORWARDED_PROTO"=>"http,https
> There was a passenger ticket that describes that from nginx's point of
> view - X-Forwarded-Proto is the "correct" form.

Rack specs require "-" being converted to "_" in header names, so both header 
X_FORWARDED_PROTO and X-Forwarded-Proto become the same header.

Then we have two headers with same name and different value. Some headers are 
defined as "multivalue" which means that they would have the same meaning if 
an unique header exists containing both values separated by comma (the top one 
first). So:

  X-Forwarded-Proto: https

is equivalent to:

  X_FORWARDED_PROTO: http, https
However it's not true that *any* header behaves in this way, but just headers 
defined in such way (by the standards). For example two "Authorization" 
headers cannot be joined in a single header.

So it's not totally safe to assume that any header appearing various times 
could be a single header with their values separated by comma, however I think 
it's a good approach.

More correct would be that Unicorn parses uknown headers appearing more than 
one time by setting a Array as value:

  X_FORWARDED_PROTO: ["http", "https"]

Unfortunately this is not allowed in Rack specifications.

Iñaki Baz Castillo <ibc at aliax.net>

More information about the mongrel-unicorn mailing list