Feature Request : Enable X-Forwarded Headers by Default with an Option to Disable per Application #14

New Issue

Closed

opened 2025-12-29 09:21:40 +01:00 by adam · 1 comment

adam commented 2025-12-29 09:21:40 +01:00

Owner

Copy Link

Originally created by @arevindh on GitHub (Sep 30, 2024).

Currently, go-proxy only adds X-Forwarded-* headers (e.g., X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host) when explicitly enabled via Docker labels. These headers are crucial for many applications running behind a reverse proxy to correctly identify the original client IP, protocol, and host, especially when used in combination with Docker.

Request:

Enable the inclusion of X-Forwarded-* headers by default.

Reasoning:

The X-Forwarded-* headers are essential in reverse proxy setups for several reasons:

1. Client IP Identification:
   Applications often use the X-Forwarded-For header to obtain the real client's IP address, rather than the internal IP address of the reverse proxy. This is particularly important for features such as:

   • Logging and audit trails
   • Rate limiting
   • Geolocation services
   • Authentication mechanisms based on the user's IP address

2. Correct URL and Protocol Handling:
   Many web applications rely on the X-Forwarded-Proto and X-Forwarded-Host headers to determine the original protocol (http vs. https) and host requested by the client, allowing them to:

   • Construct correct absolute URLs for redirects
   • Handle SSL termination properly
   • Display proper canonical URLs to users

Popular Proxies:

It is worth noting that other widely used reverse proxies, such as Traefik, Caddy, and NGINX Proxy Manager, enable X-Forwarded-* headers by default.

• Traefik: Automatically adds these headers when proxying HTTP requests.
  Traefik documentation on forwarded headers

• Caddy: The reverse proxy feature adds X-Forwarded-* headers by default.
  Caddy documentation on reverse proxy defaults

This is a widely adopted practice in the proxy world as it provides transparency about the client's real information to the application being proxied.

Example Usage:

For instance, web frameworks such as Flask, Express, or Django often utilize middleware or configuration to parse these headers to find the real user's IP behind a proxy.

• Flask: Uses X-Forwarded-For with a configuration setting called ProxyFix.
• Django: Uses the X-Forwarded-For header to obtain the client IP behind proxies when configured.
• Express (Node.js): It uses X-Forwarded-For to obtain the correct IP if the app is behind a proxy.

Proposal:

• Change the default behavior of go-proxy to automatically include X-Forwarded-* headers unless explicitly disabled.
• Provide a label option to disable these headers on a per-application basis, allowing users flexibility if they have different requirements.

---

Please consider this enhancement for a future release as it would provide a more seamless experience for users running applications behind a reverse proxy.

Thank you!

Originally created by @arevindh on GitHub (Sep 30, 2024). Currently, `go-proxy` only adds `X-Forwarded-*` headers (e.g., `X-Forwarded-For`, `X-Forwarded-Proto`, `X-Forwarded-Host`) when explicitly enabled via Docker labels. These headers are crucial for many applications running behind a reverse proxy to correctly identify the original client IP, protocol, and host, especially when used in combination with Docker. ### Request: **Enable the inclusion of `X-Forwarded-*` headers by default.** ### Reasoning: The `X-Forwarded-*` headers are essential in reverse proxy setups for several reasons: 1. **Client IP Identification:** Applications often use the `X-Forwarded-For` header to obtain the real client's IP address, rather than the internal IP address of the reverse proxy. This is particularly important for features such as: - Logging and audit trails - Rate limiting - Geolocation services - Authentication mechanisms based on the user's IP address 2. **Correct URL and Protocol Handling:** Many web applications rely on the `X-Forwarded-Proto` and `X-Forwarded-Host` headers to determine the original protocol (`http` vs. `https`) and host requested by the client, allowing them to: - Construct correct absolute URLs for redirects - Handle SSL termination properly - Display proper canonical URLs to users ### Popular Proxies: It is worth noting that other widely used reverse proxies, such as **Traefik**, **Caddy**, and **NGINX Proxy Manager**, enable `X-Forwarded-*` headers by default. - **Traefik:** Automatically adds these headers when proxying HTTP requests. [Traefik documentation on forwarded headers](https://doc.traefik.io/traefik/getting-started/faq/#what-are-the-forwarded-headers-when-proxying-http-requests) - **Caddy:** The reverse proxy feature adds `X-Forwarded-*` headers by default. [Caddy documentation on reverse proxy defaults](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#defaults) This is a widely adopted practice in the proxy world as it provides transparency about the client's real information to the application being proxied. ### Example Usage: For instance, web frameworks such as Flask, Express, or Django often utilize middleware or configuration to parse these headers to find the real user's IP behind a proxy. - **Flask:** Uses `X-Forwarded-For` with a configuration setting called `ProxyFix`. - **Django:** Uses the `X-Forwarded-For` header to obtain the client IP behind proxies when configured. - **Express (Node.js):** It uses `X-Forwarded-For` to obtain the correct IP if the app is behind a proxy. ### Proposal: - **Change the default behavior** of `go-proxy` to **automatically include `X-Forwarded-*` headers** unless explicitly disabled. - Provide a **label option to disable** these headers on a per-application basis, allowing users flexibility if they have different requirements. --- Please consider this enhancement for a future release as it would provide a more seamless experience for users running applications behind a reverse proxy. Thank you!

adam closed this issue 2025-12-29 09:21:40 +01:00

adam commented 2025-12-29 09:21:40 +01:00

Author

Owner

Copy Link

@yusing commented on GitHub (Sep 30, 2024):

ebedbc931f

@yusing commented on GitHub (Sep 30, 2024): ebedbc931f69992453279b4625a35fbad81895e0

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

compat

feat/agent-stream

dev

main-backup

feat/custom-json-marshaling

feat/non-root-non-host-mode

v0.24.0

v0.23.1

v0.23.0

v0.22.1

v0.22.0

v0.21.3

v0.21.2

v0.21.1

v0.21.0

v0.20.14

v0.20.13

v0.20.12

v0.20.11

v0.20.10

v0.20.9

v0.20.8

v0.20.7

v0.20.6

v0.20.5

v0.20.4

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.6

v0.17.5

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.2

v0.16.0-pathfix

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.9

v0.11.8

v0.11.7

v0.11.6-buildfix

v0.11.6

v0.11.5

v0.11.4

v0.11.3

v0.11.2-2

v0.11.2-1

v0.11.2

v0.11.1

v0.11.0

v0.10.2

v0.10.1

v0.10.0

v0.9.10

v0.9.9-1

v0.9.9

v0.9.8

0.9.8

0.9.7

0.9.6

0.9.5

0.9.4-1

0.9.4

0.9.3

0.9.2

0.9.1

0.9

0.8.1

0.8.0

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.4-1

0.6.4

0.6.3

0.6.2

0.6.1

0.6

0.6-rp1

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.5.0-rc6

0.5.0-rc5

0.5.0-rc4

0.5.0-rc3

0.5.0-rc2

0.5.0-rc1

0.5.0-beta3

0.5.0-beta2

0.5.0-beta

0.4.8-1

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.1

0.3

0.2.2

0.2.1

0.2-alpha

0.1-stable

Labels

Clear labels

bug

enhancement

pull-request

Mirrored from GitHub Pull Request

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/godoxy#14