ccm,ocm: strip reverse proxy headers before forwarding to upstream

2026-04-13 20:28:32 +10:00 · 2026-03-13 04:54:11 +08:00
parent 8d852bba9b
commit 283a5aacee
7 changed files with 31 additions and 5 deletions
--- a/service/ccm/credential_external.go
+++ b/service/ccm/credential_external.go
@@ -236,7 +236,7 @@ func (c *externalCredential) buildProxyRequest(ctx context.Context, original *ht
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ccm/credential_state.go
+++ b/service/ccm/credential_state.go
@@ -674,7 +674,7 @@ func (c *defaultCredential) buildProxyRequest(ctx context.Context, original *htt
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ccm/service.go
+++ b/service/ccm/service.go
@@ -128,6 +128,19 @@ func isHopByHopHeader(header string) bool {
 	}
 }

+func isReverseProxyHeader(header string) bool {
+	lowerHeader := strings.ToLower(header)
+	if strings.HasPrefix(lowerHeader, "cf-") {
+		return true
+	}
+	switch lowerHeader {
+	case "cdn-loop", "true-client-ip", "x-forwarded-for", "x-forwarded-proto", "x-real-ip":
+		return true
+	default:
+		return false
+	}
+}
+
 const (
 	weeklyWindowSeconds = 604800
 	weeklyWindowMinutes = weeklyWindowSeconds / 60
--- a/service/ocm/credential_external.go
+++ b/service/ocm/credential_external.go
@@ -241,7 +241,7 @@ func (c *externalCredential) buildProxyRequest(ctx context.Context, original *ht
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ocm/credential_state.go
+++ b/service/ocm/credential_state.go
@@ -736,7 +736,7 @@ func (c *defaultCredential) buildProxyRequest(ctx context.Context, original *htt
 	}

 	for key, values := range original.Header {
-		if !isHopByHopHeader(key) && key != "Authorization" {
+		if !isHopByHopHeader(key) && !isReverseProxyHeader(key) && key != "Authorization" {
 			proxyRequest.Header[key] = values
 		}
 	}
--- a/service/ocm/service.go
+++ b/service/ocm/service.go
@@ -136,6 +136,19 @@ func isHopByHopHeader(header string) bool {
 	}
 }

+func isReverseProxyHeader(header string) bool {
+	lowerHeader := strings.ToLower(header)
+	if strings.HasPrefix(lowerHeader, "cf-") {
+		return true
+	}
+	switch lowerHeader {
+	case "cdn-loop", "true-client-ip", "x-forwarded-for", "x-forwarded-proto", "x-real-ip":
+		return true
+	default:
+		return false
+	}
+}
+
 func normalizeRateLimitIdentifier(limitIdentifier string) string {
 	trimmedIdentifier := strings.TrimSpace(strings.ToLower(limitIdentifier))
 	if trimmedIdentifier == "" {
--- a/service/ocm/service_websocket.go
+++ b/service/ocm/service_websocket.go
@@ -65,7 +65,7 @@ func isForwardableResponseHeader(key string) bool {
 }

 func isForwardableWebSocketRequestHeader(key string) bool {
-	if isHopByHopHeader(key) {
+	if isHopByHopHeader(key) || isReverseProxyHeader(key) {
 		return false
 	}