Menu
What is the difference between the following headers?
In a setup with Apache being the proxy and Tomcat the origin server I see both of them in the HTTP requests that reach Tomcat. Values were (this is from my own code logging the header name and value pairs with the actual capitalization I encountered)
x-forwarded-host some-server
x-forwarded-server some-server.dept.some-uni.edu
Are the above values typical? Which of the two should I use to reliably reconstruct the URL asked by the browser? In my case, the browser sent a GET with the some-server.dept.some-uni.edu value in the request URL which leads me to think that the x-forwarded-server is more relevant to reconstruct the URL. I find this somewhat at odds with the MDN documentation only mentioning X-Forwarded-Host and stating that this is the "de-facto standard header for identifying the original host requested by the client" (and containing no documentation on X-Forwarded-Server)
This Apache page OTOH describes both headers as follows:
(I appreciate that to reconstruct the URL I also need X-Forwarded-Proto and X-Forwarded-Port)
253
The X-Forwarded-Host (XFH) header is a de-facto standard header for identifying the original host requested by the client in the Host HTTP request header.
Definition of Nginx X-Forwarded-For. Nginx x-forwarded-for header is the header of the de-facto standard used for identifying the client connecting originating IP address to web server through the proxy of HTTP or we can also connect through by using a load balancer.
If any trusted reverse proxies are between the client and server, the final X-Forwarded-For IP addresses (one for each trusted proxy) are trustworthy, as they were added by trusted proxies. (That's true as long as the server is only accessible through those proxies and not also directly).
X-original-host header contains the original host header with which the request arrived. This header is useful in Azure website integration, where the incoming host header is modified before traffic is routed to the backend. If session affinity is enabled as an option, then it adds a gateway-managed affinity cookie.
Since there might be multiple proxies involved in resolving a connection the X-Forwarded-Host-Header is the one you should use in the service-application.
The header X-Forwarded-Server gets overwritten by each proxy, which is involved in the communication, with the current proxy's hostname.
84
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
