[SRE-4642] Add original-x-forwarded header handling

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 1.27.1-1
+
+* Allow `X-Original-Forwaded-*` headers to take priority when setting `X-Forwarded-*` headers.
+
 ## 1.27.1
 
 * Update base image to `zappi/nginx:1.27.1`.

config/http.conf

@@ -28,6 +28,13 @@ http {
     ''      $host;
   }
 
+  # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+  # server port the client connected to
+  map $http_x_forwarded_port $proxy_x_forwarded_port {
+    default $http_x_forwarded_port;
+    ''      $server_port;
+  }
+
   # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
   # scheme used to connect to this server
   map $http_x_forwarded_proto $proxy_x_forwarded_proto {
@@ -42,11 +49,32 @@ http {
     https   on;
   }
 
-  # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
-  # server port the client connected to
-  map $http_x_forwarded_port $proxy_x_forwarded_port {
-    default $http_x_forwarded_port;
-    ''      $server_port;
+  # If we receive X-Original-Forwarded-Host, use it; otherwise, use
+  # the value of X-Forwarded-Host
+  map $http_x_original_forwarded_host $proxy_x_forwarded_host_final {
+    default $http_x_original_forwarded_host;
+    '' $proxy_x_forwarded_host;
+  }
+
+  # If we receive X-Original-Forwarded-Port, use it; otherwise, use
+  # the value of X-Forwarded-Port
+  map $http_x_original_forwarded_port $proxy_x_forwarded_port_final {
+    default $http_x_original_forwarded_port;
+    '' $proxy_x_forwarded_port;
+  }
+
+  # If we receive X-Original-Forwarded-Proto, use it; otherwise, use
+  # the value of X-Forwarded-Proto
+  map $http_x_original_forwarded_proto $proxy_x_forwarded_proto_final {
+    default $http_x_original_forwarded_proto;
+    '' $proxy_x_forwarded_proto;
+  }
+
+  # If we receive X-Original-Forwarded-Ssl, use it; otherwise, use
+  # the value of X-Forwarded-Ssl
+  map $http_x_original_forwarded_ssl $proxy_x_forwarded_ssl_final {
+    default $http_x_original_forwarded_ssl;
+    '' $proxy_x_forwarded_ssl;
   }
 
   # If we receive X-Request-ID, pass it through; otherwise, pass along the
@@ -71,12 +99,12 @@ http {
   proxy_set_header    Proxy               "";
 
   proxy_set_header    X-Real-IP           $remote_addr;
-  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-  proxy_set_header    X-Forwarded-Proto   $proxy_x_forwarded_proto;
-  proxy_set_header    X-Forwarded-Ssl     $proxy_x_forwarded_ssl;
-  proxy_set_header    X-Forwarded-Port    $proxy_x_forwarded_port;
   proxy_set_header    X-Request-ID        $proxy_x_request_id;
-  proxy_set_header    X-Forwarded-Host    $proxy_x_forwarded_host;
+  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+  proxy_set_header    X-Forwarded-Host    $proxy_x_forwarded_host_final;
+  proxy_set_header    X-Forwarded-Port    $proxy_x_forwarded_port_final;
+  proxy_set_header    X-Forwarded-Proto   $proxy_x_forwarded_proto_final;
+  proxy_set_header    X-Forwarded-Ssl     $proxy_x_forwarded_ssl_final;
   proxy_set_header    X-Request-Start     "t=${msec}";
 
   # Latency headers