Forum: Ruby on Rails rails behind multiple proxies

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Guy Tinat (Guest)
on 2006-01-07 22:55
(Received via mailing list)
I submitted a patch to fix a problem I have experienced when multiple
proxies are in between the rails process and the browser.

http://dev.rubyonrails.org/ticket/3397

This problem has come up because I have a few rails application on an
intranet where I have to use proxies to provide access to some
clients. I have done little work with this sort of thing before so I
was hoping to get more input from someone on this list.

When multiple proxies have serviced a request the
HTTP_X_FORWARDED_HOST environment variable is created and looks like
this:

HTTP_X_FORWARDED_HOST = "www.firsthost.org, www.secondhost.org"

In this case the browser requested a url from www.firsthost.org, which
then forwarded this request to www.secondhost.org which then forwarded
this to the rails application (perhaps hosted via webrick or
lighttpd).

When ActionController::redirect_to is called in this scenario an error
occurs because it attempts to redirect to "http://www.firsthost.org,
www.secondhost.org/whatever/url" which is invalid. This happens
because when the hostname is requested by redirect_to it receives back
the whole HTTP_X_FORWARDED_HOST balue. If the browser had requested
the url directly from www.secondhost.org HTTP_X_FORWARDED_HOST would
equal "www.secondhost.org"  and this error does not occur.

The patch returns only the first host name if there is a comma
delimited chain.  In the example above this results redirects now go
to "http://www.firsthost.org/whatever/url", and this works in my
setup. Now I am now wondering if I should have made it redirect to the
last hostname in the HTTP_X_FORWARDED_HOST instead. In some setups url
rewriting may be done on www.firsthost.org and it may not be expecting
urls to be redirected with its own host name.

In my environment I am using Apache's "ProxyPass" and
"ProxyPassReverse".

I am pretty sure now that I should return the last host in the chain,
but I would appreciate some feed back from anyone who may have
experience with this.

Thank you - Gaetano
This topic is locked and can not be replied to.