fix(api): keep reverse-proxy path prefix in paging next url#996
fix(api): keep reverse-proxy path prefix in paging next url#996TowyTowy wants to merge 1 commit into
Conversation
When gotify runs behind a reverse proxy that strips a subpath before forwarding (e.g. Caddy `uri strip_prefix /gotify`), the incoming request path no longer contains the prefix, so the `next` paging url emitted by GetMessages dropped it (e.g. `/message` instead of `/gotify/message`). Honor the X-Forwarded-Prefix header, which such proxies can set to announce the stripped prefix, when constructing the `next` url so it keeps pointing at the externally reachable path. Behavior is unchanged when the header is absent. Fixes gotify#664 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Hi, thanks for the contribution. I think in general XF headers should be a gated opt-in feature due to security and misconfiguration risk. Maybe this time there isn't an immediate vulnerability, in the future we may want to introduce rate limiting and such and I hope there is a master control for all/each of these magic headers. Also, given that XFP is so obscure it isn't even on MDN, maybe an alternative solution is just add a config option to override the public URL of the instance? |
|
Thanks for taking a look, and fair point on the security framing. For context on where things stand today: gotify already trusts Two ways I'm happy to take it, whichever you prefer:
(1) keeps things working with zero extra config behind a correctly-configured proxy; (2) is more explicit and sidesteps the magic headers entirely. I lean slightly toward (1) since it reuses infrastructure you already have and needs no user action, but the design direction is your call — tell me which you'd rather and I'll rework it accordingly. |
Fixes #664
When gotify runs behind a reverse proxy that strips a subpath before forwarding (e.g. Caddy
uri strip_prefix /gotify), the incoming request path no longer contains the prefix, so thenextpaging URL emitted byGetMessagesdropped it — returninghttps://example.com/message?...instead ofhttps://example.com/gotify/message?....As you noted in the issue, this case was missed in #127 (which fixed subpath handling for the WebUI/images by moving to relative URLs, but left the API's absolute
nextURL untouched).This honors the standard
X-Forwarded-Prefixheader — which such proxies set to announce the stripped prefix — when building thenextURL, consistent with how gotify already trustsX-Forwarded-Proto/X-Forwarded-Hostfor scheme and host. Behavior is unchanged when the header is absent, so it is fully backward compatible.Proxy config example (Caddy): add
header_up X-Forwarded-Prefix /gotifyalongsideuri strip_prefix /gotify.Added
Test_GetMessages_WithLimit_BehindProxyPrefix_ReturnsNextWithPrefix;go test ./api/passes.On direction: you mentioned possibly deprecating
nextin favour of clients building URLs manually. This is meant as the minimal, backward-compatible fix that makesnextcorrect today for existing clients, and it does not preclude that deprecation later — but if you would rather go straight to deprecating it, happy to close this. Your call.