hotfix: host header fix

[thushan]

resolves #135

Fix: incorrect Host header on proxied requests (#135)

Olla was forwarding the inbound client's Host header to the backend instead of using the backend's own hostname. HTTPS backends behind nginx rejected this because server_name matching failed; plain HTTP often tolerated it via catch-all vhosts, which is why the bug looked HTTPS-specific.

Root cauase: CopyHeaders in internal/adapter/proxy/core/common.go explicitly copied originalReq.Host onto the outbound request. Both proxy engines build outbound requests from absolute URLs, so letting req.gost stay empty makes Go's transport correctly use req.URL.Host.

The original host is still available to backends via X-Forwarded-Host, which was already being set.

Also fixes, as a side effect really:

• Wrong :authority pseudo-header on HTTP/2 connections
• Latent Host header injection surface (CWE-444) for backends that build URLs from Host (reset links, OAuth redirects, cookie domains)

Summary by CodeRabbit

Bug Fixes

• Corrected proxy Host header propagation to ensure inbound Host headers are no longer directly propagated to upstream requests; X-Forwarded-Host header now handles original host information instead.

Tests

• Added comprehensive test coverage validating Host header behaviour in proxy service requests across multiple upstream backend configurations.

[coderabbitai]

Warning

Rate limit exceeded

@thushan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 54 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 51 minutes and 54 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7b1f82de-8728-498d-9d35-d0ee2d0848f4

📥 Commits

Reviewing files that changed from the base of the PR and between c57bf9e and 171fa79.

📒 Files selected for processing (1)

• internal/adapter/proxy/core/common.go

Walkthrough

The changes modify how the proxy handles the Host header in outbound requests. The CopyHeaders function no longer propagates the inbound Host header to the backend request; instead, the backend receives its own listener address as the Host and the original inbound host via the X-Forwarded-Host header. New tests validate this behaviour across both proxy implementations.

Changes

Cohort / File(s)	Summary
Host header propagation logic internal/adapter/proxy/core/common.go, internal/adapter/proxy/core/common_test.go	Removed proxyReq.Host assignment from originalReq.Host in CopyHeaders, with behaviour now reliant on X-Forwarded-Host header handling. Added test asserting that inbound Host remains unpropagated on outbound request whilst X-Forwarded-Host is populated.
Integration test coverage internal/adapter/proxy/proxy_headers_test.go	Added helper function and four test cases validating backend receives correct Host header (matching listener address rather than inbound client host), inbound host propagates via X-Forwarded-Host, attacker-supplied Host headers are neutralised, and per-backend host correctness is maintained across multiple proxy instances.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'hotfix: host header fix' is vague and generic, using non-descriptive terms that don't clearly convey the specific nature of the change.	Revise the title to be more specific, such as 'Fix: Prevent Host header propagation to backend requests' or 'Fix: Use backend hostname instead of client Host header in proxied requests'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The pull request addresses all coding requirements from issue #135: it stops propagating the inbound client's Host header to backend requests and instead relies on the backend URL hostname, with the original Host provided via X-Forwarded-Host for backends that need it.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing the Host header forwarding issue described in issue #135; no extraneous modifications were introduced beyond what is necessary to resolve the problem.
Docstring Coverage	✅ Passed	Docstring coverage is 90.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hotfix/host-headers-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/adapter/proxy/core/common.go`:
- Around line 63-68: Fix the goimports lint error and tighten the comment in the
comment block referencing SCOUT-581 / OLLA-135 (the comment immediately above
the code that sets X-Forwarded-Host from originalReq.Host). Correct the typo
"superseeded" -> "superseded", rephrase the last sentence to say that
req.URL.Host is authoritative for the backend and that X-Forwarded-Host is set
from originalReq.Host only when that header is absent to preserve the original
host for backends that need it, and then run goimports (or apply import
grouping/formatting) so the file passes the linter.

In `@internal/adapter/proxy/proxy_headers_test.go`:
- Around line 196-214: The test writes handler-captured variables (e.g.,
capturedHost, capturedXFH, capturedHost1, capturedHost2) from the httptest
server goroutine and reads them from the test goroutine, causing races and also
ignores ProxyRequest errors; fix by making each handler send its captured value
into a channel (e.g., hostCh, xfhCh) and have the test receive from that channel
(with a timeout/select) after calling ProxyRequest, and change the discarded
call `_ = proxy.ProxyRequest(...)` to capture and assert/check the returned
error before reading from the channels; update all referenced tests that use
createProxy, ProxyRequest, and RequestStats accordingly (apply same
channel/select pattern to the other cases noted).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a4bddae1-1813-4696-b22e-967efac70ddb

📥 Commits

Reviewing files that changed from the base of the PR and between 0c4bfb4 and c57bf9e.

📒 Files selected for processing (3)

• internal/adapter/proxy/core/common.go
• internal/adapter/proxy/core/common_test.go
• internal/adapter/proxy/proxy_headers_test.go