From 86c000f3237880581091fdf568f7ef17fdc11b1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Szak=C3=A1ts=20Alp=C3=A1r=20Zsolt?= <szakatsa@gmail.com>
Date: Wed, 15 Oct 2025 19:43:32 +0200
Subject: [PATCH] Reverse proxy mess

---
 Source/ProofOfConcept/Program.cs | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/Source/ProofOfConcept/Program.cs b/Source/ProofOfConcept/Program.cs
index eaac161..bc01ccb 100644
--- a/Source/ProofOfConcept/Program.cs
+++ b/Source/ProofOfConcept/Program.cs
@@ -39,20 +39,6 @@ builder.Services.AddHttpClient().AddHttpClient("InsecureClient")
             HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
     });
 
-// If you know your proxy IP(s), specify them for security.
-builder.Services.Configure<ForwardedHeadersOptions>(options =>
-{
-    options.ForwardedHeaders =
-        ForwardedHeaders.XForwardedFor |
-        ForwardedHeaders.XForwardedProto |
-        ForwardedHeaders.XForwardedHost;
-
-    // Trust specific proxy or network:
-    options.KnownProxies.Clear();
-    options.KnownNetworks.Clear();
-    options.ForwardLimit = null; // but prefer being explicit when possible
-});
-
 builder.Services
     .AddAuthentication(o =>
     {
@@ -166,8 +152,20 @@ WebApplication app = builder.Build();
 ForwardedHeadersOptions forwardedHeadersOptions = new ForwardedHeadersOptions() { ForwardedHeaders = ForwardedHeaders.All };
 forwardedHeadersOptions.KnownNetworks.Clear();
 forwardedHeadersOptions.KnownProxies.Clear();
+forwardedHeadersOptions.ForwardLimit = null;            // allow entire header chain, even if single hop
+forwardedHeadersOptions.RequireHeaderSymmetry = false;  // don’t bail if headers aren’t “perfectly” paired
+
 app.UseForwardedHeaders(forwardedHeadersOptions);
 
+// quick one-time sanity log; remove after verifying
+app.Use(async (ctx, next) =>
+{
+    Console.WriteLine($"XFP={ctx.Request.Headers["X-Forwarded-Proto"]}  " +
+                      $"XFH={ctx.Request.Headers["X-Forwarded-Host"]}  " +
+                      $"Seen={ctx.Request.Scheme}://{ctx.Request.Host}{ctx.Request.PathBase}{ctx.Request.Path}{ctx.Request.QueryString}");
+    await next();
+});
+
 if (app.Environment.IsDevelopment())
 {
     app.MapOpenApi();