Releases · suin/ishi

Ishi now adds X-Forwarded-Host header into requests. The header describes host name where users access. The host names are combination of IP address and port number like 192.168.0.10:8000. So backend applications can easily determine the original host names.

For example, PHP applications can get X-Forwarded-Host header from $_SERVER:

$originalHostname =  $_SERVER['HTTP_X_FORWARDED_HOST'];
// this will be LAN IP address like 192.168.0.10:8000

// Also, you could be rewrite `HTTP_HOST` with `HTTP_X_FORWARDED_HOST`.
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] ?? $_SERVER['HTTP_HOST']; // PHP7 style
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] ? $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER['HTTP_HOST']; // PHP5 style

WARNING

Treating X-Forwarded-Host header should be careful. Sometimes the header causes exploits since attackers can easily spoof it. Especially in production, It is recommended that using the header is disabled.

if ($_ENV['environment'] === 'development') {
  $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'] ?? $_SERVER['HTTP_HOST'];
}

If you used Symfony family, Trusting Proxies would also be good choice.

Related Issues

https://github.com/suin/ishi/milestone/1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Releases: suin/ishi

Add X-Forwarded-Host Header