www/nginx: allow ports in upstream Host and XFH headers (#3387)

2026-05-28 04:34:15 -04:00 · 2023-05-03 22:47:30 +03:00 · 2023-05-03 22:47:30 +03:00 · e5891e968f
commit e5891e968f
parent 9ca8537e42
3 changed files with 24 additions and 2 deletions
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
@ -23,6 +23,20 @@
    <advanced>true</advanced>
    <help>If you enable the proxy protocol, an upstream proxy or server will get the client IP and the server port before the real traffic is sent.</help>
  </field>
+  <field>
+    <id>upstream.host_port</id>
+    <label>Host header port</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Add this port value to the Host header. Not used by default.</help>
+  </field>
+  <field>
+    <id>upstream.x_forwarded_host_verbatim</id>
+    <label>XFH: Use original Host header</label>
+    <help>Use Host header value from the client request ($http_host) for X-Forwarded-Host header. $host variable is used by default. Enabling this may cause incorrect behavior in case of malicious requests such as incorrect hostnames being logged or invalid redirects being performed.</help>
+    <advanced>true</advanced>
+    <type>checkbox</type>
+  </field>
  <field>
    <id>upstream.tls_enable</id>
    <label>Enable TLS (HTTPS)</label>
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@ -120,6 +120,14 @@
        <BlankDesc>Weighted Round Robin</BlankDesc>
        <Required>N</Required>
      </load_balancing_algorithm>
+      <host_port type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>N</Required>
+      </host_port>
+      <x_forwarded_host_verbatim type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </x_forwarded_host_verbatim>
      <proxy_protocol type="BooleanField">
        <default>0</default>
        <Required>Y</Required>
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@ -120,7 +120,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {% endif%}
 {% if location.upstream is defined and (location.php_enable is not defined or location.php_enable != '1') %}
 {%   set upstream = helpers.getUUID(location.upstream) %}
-    proxy_set_header Host $host;
+    proxy_set_header Host $host{% if upstream.host_port is defined and upstream.host_port != '' %}:{{ upstream.host_port }}{% endif %};
 {%   if location.websocket is defined and location.websocket == '1' %}
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
@ -164,7 +164,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
-    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Host {% if upstream.x_forwarded_host_verbatim is defined and upstream.x_forwarded_host_verbatim == '1'%}$http_host{% else %}$host{% endif %};
    proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
 {%   if location.proxy_read_timeout is defined and location.proxy_read_timeout != '' %}
    proxy_read_timeout {{ location.proxy_read_timeout }}s;