You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When generating redirects (like Response.seeOther()), behind a reverse proxy, UriInfo.getBaseURI() will generate incorrect URLs and fail unless proxy support is configured with quarkus.http.proxy.proxy-address-forwarding=true and quarkus.http.proxy.enable-forwarded-host=true.
So, unless developers know this beforehand, applications will break when being moved from "unproxied" to "proxied", such as moving "dev" to "prod", with only a with a malformed url exception.
It would be more reliable to always use proxy headers when present, or unless configured otherwise.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered:
@faermanj Hi, but the reason users have to allow accepting forwarding headers is because they have to accept the security implications. Users are expected to know the prod requirements related to proxying.
IMHO, Quarkus doing it automatically is not safe, and it will effectively make the existing forwarded headers control irrelevant.
Description
When generating redirects (like
Response.seeOther()
), behind a reverse proxy,UriInfo.getBaseURI()
will generate incorrect URLs and fail unless proxy support is configured withquarkus.http.proxy.proxy-address-forwarding=true
andquarkus.http.proxy.enable-forwarded-host=true
.So, unless developers know this beforehand, applications will break when being moved from "unproxied" to "proxied", such as moving "dev" to "prod", with only a with a malformed url exception.
It would be more reliable to always use proxy headers when present, or unless configured otherwise.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: