Skip to content

support ForwardedHeaders configuration #61419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

support ForwardedHeaders configuration #61419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
b476d21
feat: support ForwardedHeaders configuration
Apr 10, 2025
dd0e40d
feat: add config support for KnownNetworks and KnownProxies
WeihanLi Jun 25, 2025
fd98a33
fix: fix support for KnownProxies
WeihanLi Jun 25, 2025
458941b
fix: specific IPAddress namespace
WeihanLi Jun 25, 2025
ba906e8
Merge branch 'dotnet:main' into support-forwarded-headers-configuration
WeihanLi Jul 25, 2025
7c48640
feat: update forwarded headers options setup to use IPNetwork
WeihanLi Jul 25, 2025
bd763e9
Update ForwardedHeadersOptionsSetup.cs
WeihanLi Jul 25, 2025
1946c55
Update ForwardedHeadersOptionsSetup.cs
WeihanLi Jul 25, 2025
5a40ff6
test: add test case for forwarded headers/networks/proxies
WeihanLi Jul 26, 2025
8ddff3d
test: update test case
WeihanLi Jul 26, 2025
5812829
test: Update WebHostTests IPAddress test
WeihanLi Jul 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 36 additions & 1 deletion src/DefaultBuilder/src/ForwardedHeadersOptionsSetup.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,48 @@ public void Configure(ForwardedHeadersOptions options)
return;
}

options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
var forwardedHeaders = _configuration["ForwardedHeaders_Headers"];
if (string.IsNullOrEmpty(forwardedHeaders))
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
}
else
{
var headers = ForwardedHeaders.None;
foreach (var headerName in forwardedHeaders.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
{
if (Enum.TryParse<ForwardedHeaders>(headerName, true, out var headerValue))
{
headers |= headerValue;
}
}
options.ForwardedHeaders = headers;
}

// Only loopback proxies are allowed by default. Clear that restriction because forwarders are
// being enabled by explicit configuration.
#pragma warning disable ASPDEPR005 // KnownNetworks is obsolete
options.KnownNetworks.Clear();
#pragma warning restore ASPDEPR005 // KnownNetworks is obsolete
options.KnownIPNetworks.Clear();
options.KnownProxies.Clear();

var knownNetworks = _configuration["ForwardedHeaders_KnownIPNetworks"]?.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries) ?? [];
foreach (var network in knownNetworks)
{
if (System.Net.IPNetwork.TryParse(network, out var ipNetwork))
{
options.KnownIPNetworks.Add(ipNetwork);
}
}

var knownProxies = _configuration["ForwardedHeaders_KnownProxies"]?.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries) ?? [];
foreach (var proxy in knownProxies)
{
if (System.Net.IPAddress.TryParse(proxy, out var ipAddress))
{
options.KnownProxies.Add(ipAddress);
}
}
}
}
78 changes: 77 additions & 1 deletion src/DefaultBuilder/test/Microsoft.AspNetCore.Tests/WebHostTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.HostFiltering;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.HttpOverrides;
using Microsoft.AspNetCore.InternalTesting;
using Microsoft.AspNetCore.Routing;
using Microsoft.AspNetCore.Routing.Constraints;
using Microsoft.AspNetCore.TestHost;
using Microsoft.AspNetCore.InternalTesting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
Expand Down Expand Up @@ -83,6 +84,81 @@ public async Task WebHostConfiguration_EnablesForwardedHeadersFromConfig()
result.EnsureSuccessStatusCode();
}

[Fact]
public async Task WebHostConfiguration_EnablesForwardedHeaders_CustomHeaders_FromConfig()
{
using var host = WebHost.CreateDefaultBuilder()
.ConfigureAppConfiguration(configBuilder =>
{
configBuilder.AddInMemoryCollection(new[]
{
new KeyValuePair<string, string>("FORWARDEDHEADERS_ENABLED", "true" ),
new KeyValuePair<string, string>("FORWARDEDHEADERS_HEADERS", "All" ),
});
})
.UseTestServer()
.Configure(app =>
{
Assert.True(app.Properties.ContainsKey("ForwardedHeadersAdded"), "Forwarded Headers");
app.Run(context =>
{
Assert.Equal("https", context.Request.Scheme);
Assert.Equal("/test", context.Request.PathBase.Value);
return Task.CompletedTask;
});
}).Build();

await host.StartAsync();
var client = host.GetTestClient();
client.DefaultRequestHeaders.Add("x-forwarded-proto", "https");
client.DefaultRequestHeaders.Add("x-forwarded-prefix", "/test");
var result = await client.GetAsync("http://localhost/");
result.EnsureSuccessStatusCode();
}

[Fact]
public async Task WebHostConfiguration_EnablesForwardedHeaders_CustomConfig()
{
using var host = WebHost.CreateDefaultBuilder()
.ConfigureAppConfiguration(configBuilder =>
{
configBuilder.AddInMemoryCollection(new[]
{
new KeyValuePair<string, string>("FORWARDEDHEADERS_ENABLED", "true" ),
new KeyValuePair<string, string>("FORWARDEDHEADERS_HEADERS", "XForwardedHost,XForwardedProto,XForwardedFor123" ),
new KeyValuePair<string, string>("ForwardedHeaders_KnownIPNetworks", "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"),
new KeyValuePair<string, string>("ForwardedHeaders_KnownProxies", "127.0.0.1")
});
})
.UseTestServer()
.Configure(app =>
{
Assert.True(app.Properties.ContainsKey("ForwardedHeadersAdded"), "Forwarded Headers");
app.Run(context =>
{
Assert.Equal("https", context.Request.Scheme);
return Task.CompletedTask;
});
})
.Build();
await host.StartAsync();
var client = host.GetTestClient();
client.DefaultRequestHeaders.Add("x-forwarded-proto", "https");
var result = await client.GetAsync("http://localhost/");
result.EnsureSuccessStatusCode();

var forwardedHeadersOptions = host.Services.GetRequiredService<IOptions<ForwardedHeadersOptions>>().Value;
Assert.NotNull(forwardedHeadersOptions);
Assert.Equal(
ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto,
forwardedHeadersOptions.ForwardedHeaders
);
Assert.NotEmpty(forwardedHeadersOptions.KnownIPNetworks);
Assert.Contains(forwardedHeadersOptions.KnownIPNetworks, network => network.Contains(System.Net.IPAddress.Parse("192.168.0.123")));
Assert.NotEmpty(forwardedHeadersOptions.KnownProxies);
Assert.Contains(forwardedHeadersOptions.KnownProxies, System.Net.IPAddress.IsLoopback);
}

[Fact]
public void CreateDefaultBuilder_RegistersRouting()
{
Expand Down
Loading