rack · tomharvey · Jun 10, 2023 · Jun 10, 2023 · Jun 11, 2023 · Jun 11, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file. For info on
 - MIME type for JavaScript files (`.js`) changed from `application/javascript` to `text/javascript` ([`1bd0f15`](https://github.com/rack/rack/commit/1bd0f1597d8f4a90d47115f3e156a8ce7870c9c8))
 - Add `.mjs` MIME type ([#2057](https://github.com/rack/rack/pull/2057), [@axilleas])
 - Update MIME types associated to `.ttf`, `.woff`, `.woff2` and `.otf` extensions to use mondern `font/*` types. ([#2065](https://github.com/rack/rack/pull/2065), [@davidstosik])
+- Add `Rack::SetXForwardedProtoHeader` middleware ([#2089](https://github.com/rack/rack/pull/2089), [@tomharvey])
 
 ## [3.0.7] - 2023-03-16
 

diff --git a/README.md b/README.md
@@ -128,6 +128,8 @@ middleware:
   the request.
 * `Rack::Sendfile` for working with web servers that can use optimized file
   serving for file system paths.
+* `Rack::SetXForwardedProtoHeader` for using a vendor managed proxy which provides
+  X-Forwarded-Proto like headers.
 * `Rack::ShowException` for catching unhandled exceptions and presenting them in
   a nice and helpful way with clickable backtrace.
 * `Rack::ShowStatus` for using nice error pages for empty client error

diff --git a/lib/rack.rb b/lib/rack.rb
@@ -48,6 +48,7 @@ module Rack
   autoload :Runtime, "rack/runtime"
   autoload :Sendfile, "rack/sendfile"
   autoload :Server, "rack/server"
+  autoload :SetXForwardedProtoHeader, "rack/set_x_forwarded_proto_header"
   autoload :ShowExceptions, "rack/show_exceptions"
   autoload :ShowStatus, "rack/show_status"
   autoload :Static, "rack/static"

diff --git a/lib/rack/set_x_forwarded_proto_header.rb b/lib/rack/set_x_forwarded_proto_header.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Rack
+
+  # Middleware to set the X-Forwarded-Proto header to the value
+  # of another header.
+  #
+  # This header can be used to ensure the scheme matches when comparing
+  # request.origin and request.base_url for CSRF checking, but Rack
+  # expects that value to be in the X_FORWARDED_PROTO header.
+  #
+  # Example Rails usage:
+  # If you use a vendor managed proxy or CDN which sends the proto in a header add 
+  #`config.middleware.use Rack::SetXForwardedProtoHeader, 'Vendor-Forwarded-Proto-Header'`
+  # to your application.rb file
+
+  class SetXForwardedProtoHeader
+    def initialize(app, vendor_forwarded_header)
+      @app = app
+      # Rack expects to see UPPER_UNDERSCORED_HEADERS, never SnakeCased-Dashed-Headers
+      @vendor_forwarded_header = "HTTP_#{vendor_forwarded_header.upcase.gsub "-", "_"}"
+    end
+
+    def call(env)
+      if value = env[@vendor_forwarded_header]
+        env["HTTP_X_FORWARDED_PROTO"] = value
+      end
+      @app.call(env)
+    end
+
+  end
+end
diff --git a/test/spec_set_x_forwarded_proto_header.rb b/test/spec_set_x_forwarded_proto_header.rb
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require_relative 'helper'
+
+
+describe Rack::SetXForwardedProtoHeader do
+  response = lambda {|e| [200, {}, []]  }
+
+  it "leaves the value of X_FORWARDED_PROTO intact if there is no vendor header passed in the request" do
+    vendor_forwarded_header = "not passed in the request"
+    env = Rack::MockRequest.env_for("/", "HTTP_X_FORWARDED_PROTO" => "http")
+
+    Rack::Lint.new(Rack::SetXForwardedProtoHeader.new(response, vendor_forwarded_header)).call env
+
+    env["HTTP_X_FORWARDED_PROTO"].must_equal "http"
+  end
+
+  it "does not set X-Forwarded-Proto when there is no vendor header passed in the request" do
+    vendor_forwarded_header = "not passed in the request"
+    env = Rack::MockRequest.env_for("/", "FOO" => "bar")
+
+    Rack::Lint.new(Rack::SetXForwardedProtoHeader.new(response, vendor_forwarded_header)).call env
+
+    env["FOO"].must_equal "bar"
+    env["HTTP_X_FORWARDED_PROTO"].must_equal nil
+  end
+
+
+  it "copies the value of the header to X-Forwarded-Proto" do
+    env = Rack::MockRequest.env_for("/", "HTTP_VENDOR_FORWARDED_PROTO_HEADER" => "https")
+
+    Rack::Lint.new(Rack::SetXForwardedProtoHeader.new(response, "Vendor-Forwarded-Proto-Header")).call env
+
+    env["HTTP_X_FORWARDED_PROTO"].must_equal "https"
+  end
+
+  it "copies the value of the header to X-Forwarded-Proto overwriting an existing X-Forwarded-Proto" do
+    env = Rack::MockRequest.env_for("/", "HTTP_VENDOR_FORWARDED_PROTO_HEADER" => "https", "HTTP_X_FORWARDED_PROTO" => "http")
+
+    Rack::Lint.new(Rack::SetXForwardedProtoHeader.new(response, "Vendor-Forwarded-Proto-Header")).call env
+
+    env["HTTP_X_FORWARDED_PROTO"].must_equal "https"
+  end
+
+
+end