reverseproxy: Fix check for header_up Host {upstream_hostport} redundancy (#7564)

* Fix check for header_up Signed-off-by: yubiuser <github@yubiuser.dev> * Onyl check in case commonScheme == "https" Signed-off-by: yubiuser <github@yubiuser.dev> * Move check after TLS transport is enabled Signed-off-by: yubiuser <github@yubiuser.dev> --------- Signed-off-by: yubiuser <github@yubiuser.dev>
2026-04-04 00:01:47 -04:00 · 2026-03-30 18:56:10 +02:00 · 2026-03-30 18:56:10 +02:00 · ea4ee3ae5d
commit ea4ee3ae5d
parent 30b80bece8
1 changed files with 8 additions and 3 deletions
--- a/modules/caddyhttp/reverseproxy/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/caddyfile.go
@ -725,9 +725,6 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 				err = headers.CaddyfileHeaderOp(h.Headers.Request, args[0], "", nil)
 			case 2:
 				// some lint checks, I guess
-				if strings.EqualFold(args[0], "host") && (args[1] == "{hostport}" || args[1] == "{http.request.hostport}") {
-					caddy.Log().Named("caddyfile").Warn("Unnecessary header_up Host: the reverse proxy's default behavior is to pass headers to the upstream")
-				}
 				if strings.EqualFold(args[0], "x-forwarded-for") && (args[1] == "{remote}" || args[1] == "{http.request.remote}" || args[1] == "{remote_host}" || args[1] == "{http.request.remote.host}") {
 					caddy.Log().Named("caddyfile").Warn("Unnecessary header_up X-Forwarded-For: the reverse proxy's default behavior is to pass headers to the upstream")
 				}
@ -885,6 +882,14 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
 					return err
 				}
 			}
+			// check if the user set 'header_up host upstream_hostport' when proxying to HTTPS
+			// this is unnecessary because it's the default behavior already
+			if te.TLSEnabled() && h.Headers != nil && h.Headers.Request != nil {
+				hostVal := h.Headers.Request.Set.Get("Host")
+				if hostVal == "{upstream_hostport}" || hostVal == "{http.reverse_proxy.upstream.hostport}" {
+					caddy.Log().Named("caddyfile").Warn("Unnecessary header_up Host: the reverse proxy's default behavior is to pass the configured upstream address to the upstream when proxying to HTTPS")
+				}
+			}
 			if commonScheme == "http" && te.TLSEnabled() {
 				return d.Errf("upstream address scheme is HTTP but transport is configured for HTTP+TLS (HTTPS)")
 			}