Add reverse proxy header security and forwarding

- Rewrite Host header to backend target (configurable via pass_host_header per mapping) - Strip and set X-Forwarded-For/X-Real-IP from direct connection (trust boundary) - Set X-Forwarded-Host and X-Forwarded-Proto headers - Strip nb_session cookie and session_token query param before forwarding - Add --forwarded-proto flag (auto/http/https) for proto detection - Fix OIDC redirect hardcoded https scheme - Add pass_host_header to proto, API, and management model
2026-04-21 17:56:39 +00:00 · 2026-02-08 14:16:52 +08:00
parent 0a3a9f977d
commit 07e59b2708
13 changed files with 700 additions and 228 deletions
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -2857,6 +2857,9 @@ components:
        enabled:
          type: boolean
          description: Whether the reverse proxy is enabled
+        pass_host_header:
+          type: boolean
+          description: When true, the original client Host header is passed through to the backend instead of being rewritten to the backend's address
        auth:
          $ref: '#/components/schemas/ReverseProxyAuthConfig'
        meta:
@@ -2914,6 +2917,9 @@ components:
          type: boolean
          description: Whether the reverse proxy is enabled
          default: true
+        pass_host_header:
+          type: boolean
+          description: When true, the original client Host header is passed through to the backend instead of being rewritten to the backend's address
        auth:
          $ref: '#/components/schemas/ReverseProxyAuthConfig'
      required: