feature: add auto for X-Forwarded-Proto and X-FOrwarded-Port (#3878)

patrickdk77 · web-flow · commit ee4f497f7c67 · 2026-02-25T10:10:59.000+01:00
closes #3871 Signed-off-by: patrickdk <patrickdk@patrickdk.com>
diff --git a/config/config.go b/config/config.go
@@ -503,8 +503,8 @@ func NewConfig() *Config {
 		"X-Forwarded-Host sets X-Forwarded-Host value to the request host\n"+
 		"X-Forwarded-Method sets X-Forwarded-Method value to the request method\n"+
 		"X-Forwarded-Uri sets X-Forwarded-Uri value to the requestURI\n"+
-		"X-Forwarded-Port=<port> sets X-Forwarded-Port value\n"+
-		"X-Forwarded-Proto=<http|https> sets X-Forwarded-Proto value")
+		"X-Forwarded-Port=<port|auto> sets X-Forwarded-Port value, use 'auto' to detect from the listener address\n"+
+		"X-Forwarded-Proto=<http|https|auto> sets X-Forwarded-Proto value, use 'auto' to detect from TLS state")
 	flag.Var(cfg.ForwardedHeadersExcludeCIDRList, "forwarded-headers-exclude-cidrs", "disables addition of forwarded headers for the remote host IPs from the comma separated list of CIDRs")
 
 	flag.BoolVar(&cfg.NormalizeHost, "normalize-host", false, "converts request host to lowercase and removes port and trailing dot if any")
@@ -1297,6 +1297,8 @@ func (c *Config) parseForwardedHeaders() error {
 			c.ForwardedHeaders.Proto = "http"
 		case header == "X-Forwarded-Proto=https":
 			c.ForwardedHeaders.Proto = "https"
+		case header == "X-Forwarded-Proto=auto":
+			c.ForwardedHeaders.Proto = "auto"
 		default:
 			return fmt.Errorf("invalid forwarded header: %s", header)
 		}
diff --git a/config/config_test.go b/config/config_test.go
@@ -347,6 +347,60 @@ func Test_Validate(t *testing.T) {
 	}
 }
 
+func Test_parseForwardedHeadersAutoDetect(t *testing.T) {
+	for _, tt := range []struct {
+		name      string
+		headers   []string
+		wantProto string
+		wantPort  string
+		wantErr   bool
+	}{
+		{
+			name:      "X-Forwarded-Proto=auto sets proto to auto",
+			headers:   []string{"X-Forwarded-Proto=auto"},
+			wantProto: "auto",
+		},
+		{
+			name:      "X-Forwarded-Proto=http sets static proto",
+			headers:   []string{"X-Forwarded-Proto=http"},
+			wantProto: "http",
+		},
+		{
+			name:      "X-Forwarded-Proto=https sets static proto",
+			headers:   []string{"X-Forwarded-Proto=https"},
+			wantProto: "https",
+		},
+		{
+			name:     "X-Forwarded-Port=auto sets port to auto",
+			headers:  []string{"X-Forwarded-Port=auto"},
+			wantPort: "auto",
+		},
+		{
+			name:     "X-Forwarded-Port=8080 sets static port",
+			headers:  []string{"X-Forwarded-Port=8080"},
+			wantPort: "8080",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := NewConfig()
+			cfg.ForwardedHeadersList = commaListFlag(tt.headers...)
+			for _, h := range tt.headers {
+				cfg.ForwardedHeadersList.Set(h)
+			}
+			err := validate(cfg)
+			if (err != nil) != tt.wantErr {
+				t.Fatalf("config.NewConfig() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if cfg.ForwardedHeaders.Proto != tt.wantProto {
+				t.Errorf("Failed to get wanted Proto, got: %v, want: %v", cfg.ForwardedHeaders.Proto, tt.wantProto)
+			}
+			if cfg.ForwardedHeaders.Port != tt.wantPort {
+				t.Errorf("Failed to get wanted Port, got: %v, want: %v", cfg.ForwardedHeaders.Port, tt.wantPort)
+			}
+		})
+	}
+}
+
 func Test_NewConfigWithArgs(t *testing.T) {
 	for _, tt := range []struct {
 		name    string
diff --git a/docs/operation/operation.md b/docs/operation/operation.md
@@ -1555,8 +1555,8 @@ Skipper can be configured to add [`X-Forwarded-*` headers](https://en.wikipedia.
         comma separated list of headers to add to the incoming request before routing
         X-Forwarded-For sets or appends with comma the remote IP of the request to the X-Forwarded-For header value
         X-Forwarded-Host sets X-Forwarded-Host value to the request host
-        X-Forwarded-Port=<port> sets X-Forwarded-Port value
-        X-Forwarded-Proto=<http|https> sets X-Forwarded-Proto value
+        X-Forwarded-Port=<port> sets X-Forwarded-Port value, or set to auto to use the port of the listener
+        X-Forwarded-Proto=<http|https|auto> sets X-Forwarded-Proto value, or set to auto to use http or https depending on the listener tls state
   -forwarded-headers-exclude-cidrs value
         disables addition of forwarded headers for the remote host IPs from the comma separated list of CIDRs
 ```
diff --git a/net/headers.go b/net/headers.go
@@ -18,9 +18,9 @@ type ForwardedHeaders struct {
 	Method bool
 	// Uri sets the path and query as X-Forwarded-Uri header to the request header
 	Uri bool
-	// Sets X-Forwarded-Port value
+	// Port sets X-Forwarded-Port value, use "auto" to detect from the listener address
 	Port string
-	// Sets X-Forwarded-Proto value
+	// Proto sets X-Forwarded-Proto value, use "auto" to detect from TLS state
 	Proto string
 }
 
@@ -54,11 +54,23 @@ func (h *ForwardedHeaders) Set(req *http.Request) {
 		req.Header.Set("X-Forwarded-Uri", req.RequestURI)
 	}
 
-	if h.Port != "" {
+	if h.Port == "auto" {
+		if addr, ok := req.Context().Value(http.LocalAddrContextKey).(net.Addr); ok {
+			if _, port, err := net.SplitHostPort(addr.String()); err == nil {
+				req.Header.Set("X-Forwarded-Port", port)
+			}
+		}
+	} else if h.Port != "" {
 		req.Header.Set("X-Forwarded-Port", h.Port)
 	}
 
-	if h.Proto != "" {
+	if h.Proto == "auto" {
+		if req.TLS != nil {
+			req.Header.Set("X-Forwarded-Proto", "https")
+		} else {
+			req.Header.Set("X-Forwarded-Proto", "http")
+		}
+	} else if h.Proto != "" {
 		req.Header.Set("X-Forwarded-Proto", h.Proto)
 	}
 }
diff --git a/net/headers_test.go b/net/headers_test.go
@@ -2,6 +2,9 @@ package net
 
 import (
 	"bytes"
+	"context"
+	"crypto/tls"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
@@ -20,6 +23,8 @@ func TestForwardedHeaders(t *testing.T) {
 		header     http.Header
 		forwarded  ForwardedHeaders
 		expected   http.Header
+		tls        bool
+		localAddr  string
 	}{
 		{
 			name:       "no change when disabled",
@@ -133,6 +138,48 @@ func TestForwardedHeaders(t *testing.T) {
 				"X-Forwarded-Proto": []string{"https"},
 			},
 		},
+		{
+			name:       "proto auto detect with TLS",
+			remoteAddr: "1.2.3.4:56",
+			header:     http.Header{},
+			forwarded:  ForwardedHeaders{Proto: "auto"},
+			tls:        true,
+			expected: http.Header{
+				"X-Forwarded-Proto": []string{"https"},
+			},
+		},
+		{
+			name:       "proto auto detect without TLS",
+			remoteAddr: "1.2.3.4:56",
+			header:     http.Header{},
+			forwarded:  ForwardedHeaders{Proto: "auto"},
+			tls:        false,
+			expected: http.Header{
+				"X-Forwarded-Proto": []string{"http"},
+			},
+		},
+		{
+			name:       "port auto detect",
+			remoteAddr: "1.2.3.4:56",
+			header:     http.Header{},
+			forwarded:  ForwardedHeaders{Port: "auto"},
+			localAddr:  "0.0.0.0:8443",
+			expected: http.Header{
+				"X-Forwarded-Port": []string{"8443"},
+			},
+		},
+		{
+			name:       "proto and port auto detect together",
+			remoteAddr: "1.2.3.4:56",
+			header:     http.Header{},
+			forwarded:  ForwardedHeaders{Proto: "auto", Port: "auto"},
+			tls:        true,
+			localAddr:  "0.0.0.0:443",
+			expected: http.Header{
+				"X-Forwarded-Proto": []string{"https"},
+				"X-Forwarded-Port":  []string{"443"},
+			},
+		},
 	} {
 		t.Run(ti.name, func(t *testing.T) {
 			r := &http.Request{
@@ -143,6 +190,16 @@ func TestForwardedHeaders(t *testing.T) {
 				RequestURI: ti.requestURI,
 			}
 
+			if ti.tls {
+				r.TLS = &tls.ConnectionState{}
+			}
+
+			if ti.localAddr != "" {
+				addr, _ := net.ResolveTCPAddr("tcp", ti.localAddr)
+				ctx := context.WithValue(r.Context(), http.LocalAddrContextKey, addr)
+				r = r.WithContext(ctx)
+			}
+
 			ti.forwarded.Set(r)
 
 			if !reflect.DeepEqual(ti.expected, r.Header) {
