Pivotal Knowledge Base

Follow

Purpose of the X-Forwarded-Proto HTTP Header

Environment

 Product  Version
 Pivotal Cloud Foundry  All versions

Purpose

X-Forwarded-Proto is a HTTP Header and is part of the HTTP standard.

It is set on each HTTP request by a proxy or load balancer and can be used by a server application to determine what protocol the client used to connect.

The examples below should give a good understanding of why setting X-Forwarded-Proto is important and why not setting it can cause issues such as redirect loops.

Example

To understand X-Forwarded-Proto you have to understand the normal flow of communication when a client makes a HTTP request to a HTTPS only resource.

Note: Proxy in this example refers to HAProxy or any other proxy or load balancer that decrypts HTTPS traffic before it reaches an application.

This is a simple example with direct communication between the client and server:

  1. Client sends a HTTP request to the Server
  2. Server sees that the URL is "http://"
  3. Server sends back 3xx redirect response telling the Client to go to "https://"
  4. Client sends a HTTPS request to the Server
  5. Server sees that the URL is "https://"
  6. Server sends back the requested web page or data

What happens when there is a proxy device that decrypts the traffic?

  1. Client sends the HTTP request to the Proxy
  2. Proxy sends the HTTP request to the Server
  3. Server sees that the URL is "http://"
  4. Server sends back 3xx redirect response telling the Client to connect to "https://"
  5. Client sends a HTTPS request to the Proxy
  6. Proxy decrypts the HTTPS traffic to HTTP
  7. Proxy sends the HTTP request to the Server
  8. Steps 3 to 7 repeat forever (or until the browser detects a redirect loop)

How does X-Forwarded-Proto prevent a redirect loop?

  1. Client sends the HTTP request to the Proxy
  2. Proxy sends the HTTP request to the Server
  3. Server sees that the URL is "http://"
  4. Server sends back 3xx redirect response telling the Client to connect to "https://"
  5. Client sends a HTTPS request to the Proxy
  6. Proxy decrypts the HTTPS traffic and sets the "X-Forwarded-Proto: https"
  7. Proxy sends the HTTP request to the Server
  8. Server sees that the URL is "http://" but also sees that "X-Forwarded-Proto" is "https" and trusts that the request is HTTPS
  9. Server sends back the requested web page or data

In step 6 above, the Proxy is setting the HTTP header "X-Forwarded-Proto: https" to specify that the traffic it received is HTTPS. In step 8, the Server then uses the X-Forwarded-Proto to determine if the request was HTTP or HTTPS.

Additional Information

For more information about the X-Forwarded-Proto HTTP header, refer to:

 

Comments

Powered by Zendesk