X-Forwarded-Proto / X_FORWARDED_PROTO

Eric Wong normalperson at yhbt.net
Sun Jan 10 01:12:09 EST 2010


Iñaki Baz Castillo <ibc at aliax.net> wrote:
> El Domingo, 10 de Enero de 2010, skaar escribió:
> > > The Rack (and CGI) specs require that '-' be replaced with '_' for
> > > HTTP header names, so Unicorn is doing the correct thing and treating
> > > it as the same header.
> > 
> > but should it aggregate the values?
> 
> Hi, review my other response in this thread.
> 
> This is undefined. Some headers do allow multiple values separated by comma in 
> the same header with the same meaning as varios headers with same name and 
> single values. But this depends on each header specification.

>From reading rfc 2616, section 4.2 that all multi-value headers can be
combined with commas without changing semantics of the message[1].
There's also no other way (e.g. with an Array) to represent them for
Rack...

[1] In the Real-World(TM), this is not true for Set-Cookie headers in
    HTTP responses.

> In your case it seems valid for me (just an opinnion) as 
> "HTTP_X_FORWARDED_PROTO: http,https" could mean that the request has been sent 
> using HTTPS and an intermediary proxy has forwarded it using HTTP. Of course 
> the final destination (Unicorn application) must be ready to support such 
> syntax.

Is it safe to say that if there's an "https" *anywhere* in the
X-Forwarded-Proto chain, that "rack.url_scheme" should be set to
"https"?   Because I suppose most of the time there's only one
(client-facing) proxy using https.

-- 
Eric Wong


More information about the mongrel-unicorn mailing list