fix(interceptor): preserve upstream X-Forwarded headers (#1434)

linkvt · web-flow · commit 32d2556d83d2 · 2026-02-02T15:19:12.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -36,7 +36,7 @@ This changelog keeps track of work items that have been completed and are ready
 
 ### Fixes
 
-- **General**: TODO ([#TODO](https://github.com/kedacore/http-add-on/issues/TODO))
+- **General**: Preserve `X-Forwarded-Proto` and `X-Forwarded-Host` headers from upstream proxies ([#1432](https://github.com/kedacore/http-add-on/issues/1432))
 
 ### Deprecations
 
diff --git a/interceptor/handler/upstream.go b/interceptor/handler/upstream.go
@@ -72,9 +72,16 @@ func (uh *Upstream) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			pr.SetURL(stream)
 			// Preserve original Host header (SetURL rewrites it by default).
 			pr.Out.Host = pr.In.Host
-			// Preserve X-Forwarded-For chain before appending client IP.
+
+			// Preserve and extend X-Forwarded-... headers from upstream proxies
 			pr.Out.Header["X-Forwarded-For"] = pr.In.Header["X-Forwarded-For"]
 			pr.SetXForwarded()
+			if host := pr.In.Header.Get("X-Forwarded-Host"); host != "" {
+				pr.Out.Header.Set("X-Forwarded-Host", host)
+			}
+			if proto := pr.In.Header.Get("X-Forwarded-Proto"); proto != "" {
+				pr.Out.Header.Set("X-Forwarded-Proto", proto)
+			}
 		},
 		BufferPool: bufferPool,
 		Transport:  uh.roundTripper,
diff --git a/interceptor/handler/upstream_test.go b/interceptor/handler/upstream_test.go
@@ -440,15 +440,36 @@ func TestForwardRequestRedirectAndHeaders(t *testing.T) {
 	r.Equal("Hello from srv", res.Body.String())
 }
 
-func TestUpstreamSetsXForwardedFor(t *testing.T) {
+func TestUpstreamPreservesXForwardedHeaders(t *testing.T) {
 	tests := map[string]struct {
-		forwardedIPs []string
+		forwardedFor   string
+		forwardedHost  string
+		forwardedProto string
+		forwardedPort  string
 	}{
-		"appends to existing header chain": {
-			forwardedIPs: []string{"1.2.3.4", "5.6.7.8"},
+		"preserves and extends forwarded IPs": {
+			forwardedFor: "198.51.100.1",
+		},
+		"preserves forwarded host": {
+			forwardedHost: "example.org",
+		},
+		"preserves forwarded proto": {
+			forwardedProto: "http",
+		},
+		"preserves forwarded port": {
+			forwardedPort: "443",
+		},
+		"preserves and extends existing headers": {
+			forwardedFor:   "1.2.3.4, 5.6.7.8",
+			forwardedHost:  "keda.sh",
+			forwardedProto: "https",
+			forwardedPort:  "8443",
 		},
 		"sets header when not present": {
-			forwardedIPs: nil,
+			forwardedFor:   "",
+			forwardedHost:  "",
+			forwardedProto: "",
+			forwardedPort:  "",
 		},
 	}
 
@@ -470,28 +491,54 @@ func TestUpstreamSetsXForwardedFor(t *testing.T) {
 			upstream := NewUpstream(http.DefaultTransport, &config.Tracing{}, false)
 
 			req := httptest.NewRequest("GET", "/test", nil)
-			forwardedIPsStr := strings.Join(tt.forwardedIPs, ", ")
-			if tt.forwardedIPs != nil {
-				req.Header.Set("X-Forwarded-For", forwardedIPsStr)
+			if tt.forwardedFor != "" {
+				req.Header.Set("X-Forwarded-For", tt.forwardedFor)
+			}
+			if tt.forwardedHost != "" {
+				req.Header.Set("X-Forwarded-Host", tt.forwardedHost)
+			}
+			if tt.forwardedProto != "" {
+				req.Header.Set("X-Forwarded-Proto", tt.forwardedProto)
+			}
+			if tt.forwardedPort != "" {
+				req.Header.Set("X-Forwarded-Port", tt.forwardedPort)
 			}
 			req = util.RequestWithStream(req, backendURL)
 
 			upstream.ServeHTTP(httptest.NewRecorder(), req)
 
 			// Verify the test conditions
 			xff := receivedHeaders.Get("X-Forwarded-For")
-			if xff == "" {
-				t.Fatal("X-Forwarded-For should not be empty")
+			if tt.forwardedFor != "" {
+				if !strings.HasPrefix(xff, tt.forwardedFor+", ") {
+					t.Errorf("expected X-Forwarded-For to start with %q, got: %q", tt.forwardedFor+", ", xff)
+				}
+			} else if xff == "" {
+				t.Error("X-Forwarded-For should contain at least the client IP")
+			}
+
+			xfh := receivedHeaders.Get("X-Forwarded-Host")
+			if tt.forwardedHost != "" {
+				if tt.forwardedHost != xfh {
+					t.Errorf("expected forwarded host %q, got %q", tt.forwardedHost, xfh)
+				}
+			} else if xfh != req.Host {
+				t.Errorf("expected default forwarded host %q, got %q", req.Host, xfh)
 			}
 
-			if tt.forwardedIPs != nil && !strings.HasPrefix(xff, forwardedIPsStr) {
-				t.Errorf("expected X-Forwarded-For to contain %q, got: %q", forwardedIPsStr, xff)
+			xfproto := receivedHeaders.Get("X-Forwarded-Proto")
+			if tt.forwardedProto != "" {
+				if tt.forwardedProto != xfproto {
+					t.Errorf("expected forwarded proto %q, got %q", tt.forwardedProto, xfproto)
+				}
+			} else if xfproto != "http" {
+				t.Errorf("expected default forwarded proto %q, got %q", "http", xfproto)
 			}
 
-			ips := strings.Split(xff, ", ")
-			expectedLen := len(tt.forwardedIPs) + 1
-			if len(ips) != expectedLen {
-				t.Errorf("expected %d IPs in X-Forwarded-For, got %d: %q", expectedLen, len(ips), xff)
+			// Ensure that X-Forwarded-Port is preserved even if we don't set a default for it
+			xfport := receivedHeaders.Get("X-Forwarded-Port")
+			if xfport != tt.forwardedPort {
+				t.Errorf("expected forwarded port %q, got %q", tt.forwardedPort, xfport)
 			}
 		})
 	}
