RACK_URL_SCHEME calculation caring about more headers (#1491)

* RACK_URL_SCHEME read the same as in Rack * Code comment on HTTP_X_FORWARDED_PROTO - See rack/rack@85ca454 * Make default_server_port logic more readable * Test: X-Forwarded-Proto and friends * Calculate default_port respecting HTTP_X_FORWARDED_SCHEME, HTTP_X_FORWARDED_SSL * Calculate URL scheme using #default_server_port * Narrow down tests for default_server_port(env)
puma · Jul 17, 2019 · 30fbd84 · 30fbd84
1 parent 4c85fac
commit 30fbd84
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 7 deletions.
diff --git a/lib/puma/const.rb b/lib/puma/const.rb
@@ -160,6 +160,9 @@ module Const
     LINE_END = "\r\n".freeze
     REMOTE_ADDR = "REMOTE_ADDR".freeze
     HTTP_X_FORWARDED_FOR = "HTTP_X_FORWARDED_FOR".freeze
+    HTTP_X_FORWARDED_SSL = "HTTP_X_FORWARDED_SSL".freeze
+    HTTP_X_FORWARDED_SCHEME = "HTTP_X_FORWARDED_SCHEME".freeze
+    HTTP_X_FORWARDED_PROTO = "HTTP_X_FORWARDED_PROTO".freeze
 
     SERVER_NAME = "SERVER_NAME".freeze
     SERVER_PORT = "SERVER_PORT".freeze

diff --git a/lib/puma/server.rb b/lib/puma/server.rb
@@ -588,8 +588,11 @@ def normalize_env(env, client)
     end
 
     def default_server_port(env)
-      return PORT_443 if env[HTTPS_KEY] == 'on' || env[HTTPS_KEY] == 'https'
-      env['HTTP_X_FORWARDED_PROTO'] == 'https' ? PORT_443 : PORT_80
+      if ['on', HTTPS].include?(env[HTTPS_KEY]) || env[HTTP_X_FORWARDED_PROTO].to_s[0...5] == HTTPS || env[HTTP_X_FORWARDED_SCHEME] == HTTPS || env[HTTP_X_FORWARDED_SSL] == "on"
+        PORT_443
+      else
+        PORT_80
+      end
     end
 
     # Takes the request +req+, invokes the Rack application to construct
@@ -627,7 +630,7 @@ def handle_request(req, lines)
       head = env[REQUEST_METHOD] == HEAD
 
       env[RACK_INPUT] = body
-      env[RACK_URL_SCHEME] =  env[HTTPS_KEY] ? HTTPS : HTTP
+      env[RACK_URL_SCHEME] = default_server_port(env) == PORT_443 ? HTTPS : HTTP
 
       if @early_hints
         env[EARLY_HINTS] = lambda { |headers|

diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
@@ -95,6 +95,30 @@ def test_very_large_return
   end
 
   def test_respect_x_forwarded_proto
+    env = {}
+    env['HOST'] = "example.com"
+    env['HTTP_X_FORWARDED_PROTO'] = "https,http"
+
+    assert_equal "443", @server.default_server_port(env)
+  end
+
+  def test_respect_x_forwarded_ssl_on
+    env = {}
+    env['HOST'] = "example.com"
+    env['HTTP_X_FORWARDED_SSL'] = "on"
+
+    assert_equal "443", @server.default_server_port(env)
+  end
+
+  def test_respect_x_forwarded_scheme
+    env = {}
+    env['HOST'] = "example.com"
+    env['HTTP_X_FORWARDED_SCHEME'] = "https"
+
+    assert_equal "443", @server.default_server_port(env)
+  end
+
+  def test_default_server_port
     @server.app = proc do |env|
       [200, {}, [env['SERVER_PORT']]]
     end
@@ -104,16 +128,15 @@ def test_respect_x_forwarded_proto
 
     req = Net::HTTP::Get.new("/")
     req['HOST'] = "example.com"
-    req['X_FORWARDED_PROTO'] = "https"
 
     res = Net::HTTP.start @host, @server.connected_port do |http|
       http.request(req)
     end
 
-    assert_equal "443", res.body
+    assert_equal "80", res.body
   end
 
-  def test_default_server_port
+  def test_default_server_port_respects_x_forwarded_proto
     @server.app = proc do |env|
       [200, {}, [env['SERVER_PORT']]]
     end
@@ -123,12 +146,13 @@ def test_default_server_port
 
     req = Net::HTTP::Get.new("/")
     req['HOST'] = "example.com"
+    req['X_FORWARDED_PROTO'] = "https,http"
 
     res = Net::HTTP.start @host, @server.connected_port do |http|
       http.request(req)
     end
 
-    assert_equal "80", res.body
+    assert_equal "443", res.body
   end
 
   def test_HEAD_has_no_body