Pivotal Knowledge Base

Follow

Purpose of the X-Forwarded-Proto HTTP Header

Environment

 Pivotal Cloud Foundry all versions

Introduction

X-Forwarded-Proto is an HTTP Header and is part of the HTTP standard.

It is set on each HTTP request by a proxy or load balancer and can be used by a server application to determine what protocol the client used to connect.

Description

To understand X-Forwarded-Proto you have to understand the normal flow of communication when a client makes an HTTP request to a HTTPS-only resource.

Note: Proxy in this example refers to HAProxy or any other proxy or load balancer that decrypts HTTPS traffic before it reaches an application.

This is a simple example with direct communication between the client and server:

  1. Client sends a HTTP request to the Server
  2. Server sees that the URL is "http://"
  3. Server sends back 3xx redirect response telling the Client to go to "https://"
  4. Client sends a HTTPS request to the Server
  5. Server sees that the URL is "https://"
  6. Server sends back the requested web page or data

What happens when there is a proxy device that decrypts the traffic?

  1. Client sends the HTTP request to the Proxy
  2. Proxy sends the HTTP request to the Server
  3. Server sees that the URL is "http://"
  4. Server sends back 3xx redirect response telling the Client to connect to "https://"
  5. Client sends an HTTPS request to the Proxy
  6. Proxy decrypts the HTTPS traffic to HTTP
  7. Proxy sends the HTTP request to the Server
  8. Steps 3 to 7 repeat forever (or until the browser detects a redirect loop)

How does X-Forwarded-Proto prevent a redirect loop?

  1. Client sends the HTTP request to the Proxy
  2. <Proxy sends the HTTP request to the Server
  3. Server sees that the URL is "http://"
  4. Server sends back 3xx redirect response telling the Client to connect to "https://"
  5. Client sends an HTTPS request to the Proxy
  6. Proxy decrypts the HTTPS traffic and sets the "X-Forwarded-Proto: https"
  7. Proxy sends the HTTP request to the Server
  8. Server sees that the URL is "http://" but also sees that "X-Forwarded-Proto" is "https" and trusts that the request is HTTPS
  9. Server sends back the requested web page or data

In step 6 above, the Proxy is setting the HTTP header "X-Forwarded-Proto: https" to specify that the traffic it received is HTTPS. In step 8, the Server then uses the X-Forwarded-Proto to determine if the request was HTTP or HTTPS.

Additional Information

For more information about the X-Forwarded-Proto HTTP header, refer to:

 

Comments

Powered by Zendesk