"X-Forwarded-Host" cannot be overwritten, causing CSRF errors

[uedvt359]

For HTTPS apps, Teleport automatically adds "X-Forwarded-Host" (among others) containing e.g "myapp.teleport.example.org". This causes a mismatch between "Host" (being e.g. "myapp.example.org") and XFH. If these don't match, Django 1.9 and above raise a CSRF error. (c.f this stackoverflow answer or this django ticket)

I attempted to add a Header rewrite rule to my app's yaml config, but this seems to be ignored. I even found a test case specifically checking that this header cannot be modified.

spec:
  rewrite:
    headers:
    - name: Host     # can be overwritten just fine
      value: myapp.example.com
    - name: Origin     # can be overwritten just fine
      value: https://myapp.example.com
    - name: Referer     # can be overwritten just fine
      value: https://myapp.example.com
    - name: X-Forwarded-Host     # can NOT be overwritten!
      value: myapp.example.com

Other than placing another reverse proxy (eg. nginx) between teleport and myapp, can I somehow make Teleport not add this header to proxied requests?

[webvictim]

No, unfortunately not. You may be better off relaxing the CSRF restrictions in Django.

[uedvt359]

the app is not under my control sadly. i'm working around it with nginx for now. thanks for the quick response!