fix: server functions x-forwarded-host possible multiple values #73701
Conversation
|
Allow CI Workflow Run
Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer |
Netail
changed the title
Netail
force-pushed
the
fix/server-functions-x-forwarded-host
branch
from
3096cb7 to
3ea80a0
Compare
We can separate the host parsing to it's own function, then test this separately? |
|
That sounds good to me |
Netail
force-pushed
the
fix/server-functions-x-forwarded-host
branch
from
5a9f274 to
e1dffb4
Compare
|
Could this potentially be backported into v14? |
|
Sure, similar PR can be made agains the |
Stats from current PRDefault Build (Increase detected
|
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| buildDuration | 19.9s | 17.4s | N/A |
| buildDurationCached | 16.5s | 14.3s | N/A |
| nodeModulesSize | 417 MB | 417 MB | |
| nextStartRea..uration (ms) | 481ms | 488ms | N/A |
Client Bundles (main, webpack)
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| 1187-HASH.js gzip | 52.6 kB | 52.6 kB | N/A |
| 8276.HASH.js gzip | 169 B | 168 B | N/A |
| 8377-HASH.js gzip | 5.36 kB | 5.36 kB | N/A |
| bccd1874-HASH.js gzip | 52.8 kB | 52.8 kB | N/A |
| framework-HASH.js gzip | 57.5 kB | 57.5 kB | N/A |
| main-app-HASH.js gzip | 232 B | 235 B | N/A |
| main-HASH.js gzip | 34.1 kB | 34.1 kB | N/A |
| webpack-HASH.js gzip | 1.71 kB | 1.71 kB | N/A |
| Overall change | 0 B | 0 B | ✓ |
Legacy Client Bundles (polyfills)
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| polyfills-HASH.js gzip | 39.4 kB | 39.4 kB | ✓ |
| Overall change | 39.4 kB | 39.4 kB | ✓ |
Client Pages
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| _app-HASH.js gzip | 193 B | 193 B | ✓ |
| _error-HASH.js gzip | 193 B | 193 B | ✓ |
| amp-HASH.js gzip | 512 B | 510 B | N/A |
| css-HASH.js gzip | 343 B | 342 B | N/A |
| dynamic-HASH.js gzip | 1.84 kB | 1.84 kB | ✓ |
| edge-ssr-HASH.js gzip | 265 B | 265 B | ✓ |
| head-HASH.js gzip | 363 B | 362 B | N/A |
| hooks-HASH.js gzip | 393 B | 392 B | N/A |
| image-HASH.js gzip | 4.49 kB | 4.49 kB | N/A |
| index-HASH.js gzip | 268 B | 268 B | ✓ |
| link-HASH.js gzip | 2.35 kB | 2.34 kB | N/A |
| routerDirect..HASH.js gzip | 328 B | 328 B | ✓ |
| script-HASH.js gzip | 397 B | 397 B | ✓ |
| withRouter-HASH.js gzip | 323 B | 326 B | N/A |
| 1afbb74e6ecf..834.css gzip | 106 B | 106 B | ✓ |
| Overall change | 3.59 kB | 3.59 kB | ✓ |
Client Build Manifests
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| _buildManifest.js gzip | 749 B | 747 B | N/A |
| Overall change | 0 B | 0 B | ✓ |
Rendered Page Sizes
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| index.html gzip | 524 B | 522 B | N/A |
| link.html gzip | 538 B | 536 B | N/A |
| withRouter.html gzip | 520 B | 519 B | N/A |
| Overall change | 0 B | 0 B | ✓ |
Edge SSR bundle Size
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| edge-ssr.js gzip | 128 kB | 128 kB | N/A |
| page.js gzip | 206 kB | 206 kB | N/A |
| Overall change | 0 B | 0 B | ✓ |
Middleware size
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| middleware-b..fest.js gzip | 667 B | 667 B | ✓ |
| middleware-r..fest.js gzip | 155 B | 156 B | N/A |
| middleware.js gzip | 31.2 kB | 31.2 kB | N/A |
| edge-runtime..pack.js gzip | 844 B | 844 B | ✓ |
| Overall change | 1.51 kB | 1.51 kB | ✓ |
Next Runtimes
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| 274-experime...dev.js gzip | 322 B | 322 B | ✓ |
| 274.runtime.dev.js gzip | 314 B | 314 B | ✓ |
| app-page-exp...dev.js gzip | 363 kB | 363 kB | N/A |
| app-page-exp..prod.js gzip | 129 kB | 129 kB | N/A |
| app-page-tur..prod.js gzip | 142 kB | 142 kB | N/A |
| app-page-tur..prod.js gzip | 138 kB | 138 kB | N/A |
| app-page.run...dev.js gzip | 351 kB | 351 kB | N/A |
| app-page.run..prod.js gzip | 125 kB | 125 kB | N/A |
| app-route-ex...dev.js gzip | 37.5 kB | 37.5 kB | ✓ |
| app-route-ex..prod.js gzip | 25.5 kB | 25.5 kB | ✓ |
| app-route-tu..prod.js gzip | 25.5 kB | 25.5 kB | ✓ |
| app-route-tu..prod.js gzip | 25.4 kB | 25.4 kB | ✓ |
| app-route.ru...dev.js gzip | 39.2 kB | 39.2 kB | ✓ |
| app-route.ru..prod.js gzip | 25.4 kB | 25.4 kB | ✓ |
| pages-api-tu..prod.js gzip | 9.69 kB | 9.69 kB | ✓ |
| pages-api.ru...dev.js gzip | 11.6 kB | 11.6 kB | ✓ |
| pages-api.ru..prod.js gzip | 9.68 kB | 9.68 kB | ✓ |
| pages-turbo...prod.js gzip | 21.7 kB | 21.7 kB | ✓ |
| pages.runtim...dev.js gzip | 27.5 kB | 27.5 kB | ✓ |
| pages.runtim..prod.js gzip | 21.7 kB | 21.7 kB | ✓ |
| server.runti..prod.js gzip | 916 kB | 916 kB | ✓ |
| Overall change | 1.2 MB | 1.2 MB | ✓ |
build cache Overall increase ⚠️
| vercel/next.js canary | Netail/next.js fix/server-functions-x-forwarded-host | Change | |
|---|---|---|---|
| 0.pack gzip | 2.08 MB | 2.08 MB | |
| index.pack gzip | 74.6 kB | 73.8 kB | N/A |
| Overall change | 2.08 MB | 2.08 MB |
Diff details
Diff for main-HASH.js
Diff too large to display
Diff for app-page-exp..ntime.dev.js
Diff too large to display
Diff for app-page-exp..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page-tur..time.prod.js
Diff too large to display
Diff for app-page.runtime.dev.js
Diff too large to display
Diff for app-page.runtime.prod.js
Diff too large to display
|
Alright, so basically a Apache proxy prepends the host to the current value (comma separated), so will add that use case too https://sources.debian.org/src/apache2/2.4.62-6/modules/proxy/proxy_util.c/#L4755 |
|
Should be good to go :) |
|
Could you add a case for the domain with a dot at the end? I'm getting the following error: |
What's the use case for a domain with a dot behind? Where does this come from? How is this set? |
No idea tbh. I wish I knew. None of my domain configs in Vercel have a dot at the end, and on my DNS config I just have an A record on the base domain (also without the dot) pointing to IP 76.76.21.21 |
|
Mixed feelings about the regex solution 🤔 |
|
Hi @ijjk |
| } else if (!host || originDomain !== host.value) { | ||
| } else if ( | ||
| !host || | ||
| new RegExp('^' + host.value + '(.?)$').test(originDomain) |
There was a problem hiding this comment.
Let's drop this for now as this doesn't seem valid and we should track down where the invalid trailing dot is coming from instead.
There was a problem hiding this comment.
Okidoki, not sure how Vercel works from the inside, so can't help on that part. Can come from some proxy or the DNS
There was a problem hiding this comment.
@jperezr21 could you share the project you are seeing this on ideally a specific deployment URL?
Summary
The x-forwarded-host header can be an array (
string | string[] | undefined), which used to be casted tostring | undefined. So when comparing the origin vs the x-forwarded-host, it ends up comparing an array to a string. Resulting in the following error;