From e5891e968f0a8a7773101b5b5f12aaa84c93b44b Mon Sep 17 00:00:00 2001
From: kulikov-a <36099472+kulikov-a@users.noreply.github.com>
Date: Wed, 3 May 2023 22:47:30 +0300
Subject: [PATCH] www/nginx: allow ports in upstream Host and XFH headers
 (#3387)

---
 .../controllers/OPNsense/Nginx/forms/upstream.xml  | 14 ++++++++++++++
 .../mvc/app/models/OPNsense/Nginx/Nginx.xml        |  8 ++++++++
 .../service/templates/OPNsense/Nginx/location.conf |  4 ++--
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
index 15fa99602..c879b9883 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
@@ -23,6 +23,20 @@
     <advanced>true</advanced>
     <help>If you enable the proxy protocol, an upstream proxy or server will get the client IP and the server port before the real traffic is sent.</help>
   </field>
+  <field>
+    <id>upstream.host_port</id>
+    <label>Host header port</label>
+    <type>text</type>
+    <advanced>true</advanced>
+    <help>Add this port value to the Host header. Not used by default.</help>
+  </field>
+  <field>
+    <id>upstream.x_forwarded_host_verbatim</id>
+    <label>XFH: Use original Host header</label>
+    <help>Use Host header value from the client request ($http_host) for X-Forwarded-Host header. $host variable is used by default. Enabling this may cause incorrect behavior in case of malicious requests such as incorrect hostnames being logged or invalid redirects being performed.</help>
+    <advanced>true</advanced>
+    <type>checkbox</type>
+  </field>
   <field>
     <id>upstream.tls_enable</id>
     <label>Enable TLS (HTTPS)</label>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index cf4487baa..ea6932881 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -120,6 +120,14 @@
         <BlankDesc>Weighted Round Robin</BlankDesc>
         <Required>N</Required>
       </load_balancing_algorithm>
+      <host_port type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>N</Required>
+      </host_port>
+      <x_forwarded_host_verbatim type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </x_forwarded_host_verbatim>
       <proxy_protocol type="BooleanField">
         <default>0</default>
         <Required>Y</Required>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 0610d4fd5..35145c75b 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -120,7 +120,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {% endif%}
 {% if location.upstream is defined and (location.php_enable is not defined or location.php_enable != '1') %}
 {%   set upstream = helpers.getUUID(location.upstream) %}
-    proxy_set_header Host $host;
+    proxy_set_header Host $host{% if upstream.host_port is defined and upstream.host_port != '' %}:{{ upstream.host_port }}{% endif %};
 {%   if location.websocket is defined and location.websocket == '1' %}
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
@@ -164,7 +164,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Port $server_port;
-    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-Host {% if upstream.x_forwarded_host_verbatim is defined and upstream.x_forwarded_host_verbatim == '1'%}$http_host{% else %}$host{% endif %};
     proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
 {%   if location.proxy_read_timeout is defined and location.proxy_read_timeout != '' %}
     proxy_read_timeout {{ location.proxy_read_timeout }}s;