diff --git a/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java b/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java index bf79bd61e720..2e4a38fd4277 100644 --- a/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java +++ b/jetty-server/src/main/java/org/eclipse/jetty/server/ForwardedRequestCustomizer.java @@ -598,16 +598,18 @@ public void handleSslSessionId(HttpField field) @SuppressWarnings("unused") public void handleHost(HttpField field) { + HostPort hostField = new HostPort(getLeftMost(field.getValue())); + if (getForwardedPortAsAuthority() && !StringUtil.isEmpty(getForwardedPortHeader())) { if (_host == null) - _host = new PossiblyPartialHostPort(getLeftMost(field.getValue())); + _host = new PossiblyPartialHostPort(hostField.getHost(), hostField.getPort()); else if (_host instanceof PortSetHostPort) - _host = new HostPort(HostPort.normalizeHost(getLeftMost(field.getValue())), _host.getPort()); + _host = new HostPort(hostField.getHost(), hostField.getPort() > 0 ? hostField.getPort() : _host.getPort()); } else if (_host == null) { - _host = new HostPort(getLeftMost(field.getValue())); + _host = hostField; } } diff --git a/jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java b/jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java index 6c477eb10ac1..63c0d42ead55 100644 --- a/jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java +++ b/jetty-server/src/test/java/org/eclipse/jetty/server/ForwardedRequestCustomizerTest.java @@ -497,7 +497,67 @@ public static Stream cases() .requestURL("http://fw.example.com:4333/") .remoteAddr("8.5.4.3").remotePort(2222) ), - + Arguments.of(new Request("X-Forwarded-* (Multiple Ports)") + .headers( + "GET / HTTP/1.1", + "Host: myhost:10001", + "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999", + "X-Forwarded-Port: 10002", + "X-Forwarded-Proto: https", + "X-Forwarded-Host: sub1.example.com:10003", + "X-Forwarded-Server: sub2.example.com" + ), + new Expectations() + .scheme("https").serverName("sub1.example.com").serverPort(10003) + .requestURL("https://sub1.example.com:10003/") + .remoteAddr("127.0.0.1").remotePort(8888) + ), + Arguments.of(new Request("X-Forwarded-* (Multiple Ports - Server First)") + .headers( + "GET / HTTP/1.1", + "X-Forwarded-Server: sub2.example.com:10007", + "Host: myhost:10001", + "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999", + "X-Forwarded-Proto: https", + "X-Forwarded-Port: 10002", + "X-Forwarded-Host: sub1.example.com:10003" + ), + new Expectations() + .scheme("https").serverName("sub1.example.com").serverPort(10003) + .requestURL("https://sub1.example.com:10003/") + .remoteAddr("127.0.0.1").remotePort(8888) + ), + Arguments.of(new Request("X-Forwarded-* (Multiple Ports - setForwardedPortAsAuthority = false)") + .configureCustomizer((customizer) -> customizer.setForwardedPortAsAuthority(false)) + .headers( + "GET / HTTP/1.1", + "Host: myhost:10001", + "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999", + "X-Forwarded-Port: 10002", + "X-Forwarded-Proto: https", + "X-Forwarded-Host: sub1.example.com:10003", + "X-Forwarded-Server: sub2.example.com" + ), + new Expectations() + .scheme("https").serverName("sub1.example.com").serverPort(10003) + .requestURL("https://sub1.example.com:10003/") + .remoteAddr("127.0.0.1").remotePort(8888) + ), + Arguments.of(new Request("X-Forwarded-* (Multiple Ports Alt Order)") + .headers( + "GET / HTTP/1.1", + "Host: myhost:10001", + "X-Forwarded-For: 127.0.0.1:8888,127.0.0.2:9999", + "X-Forwarded-Proto: https", + "X-Forwarded-Host: sub1.example.com:10003", + "X-Forwarded-Port: 10002", + "X-Forwarded-Server: sub2.example.com" + ), + new Expectations() + .scheme("https").serverName("sub1.example.com").serverPort(10003) + .requestURL("https://sub1.example.com:10003/") + .remoteAddr("127.0.0.1").remotePort(8888) + ), // ================================================================= // Mixed Behavior Arguments.of(new Request("RFC7239 mixed with X-Forwarded-* headers") @@ -585,7 +645,6 @@ public static Stream cases() @ParameterizedTest(name = "{0}") @MethodSource("cases") - @SuppressWarnings("unused") public void testDefaultBehavior(Request request, Expectations expectations) throws Exception { request.configure(customizer); @@ -601,7 +660,6 @@ public void testDefaultBehavior(Request request, Expectations expectations) thro @ParameterizedTest(name = "{0}") @MethodSource("cases") - @SuppressWarnings("unused") public void testConfiguredBehavior(Request request, Expectations expectations) throws Exception { request.configure(customizerConfigured);