24184176203

Committed 09 Apr 2026 09:57AM UTC coverage: 64.994% (+0.03%) from 64.96%

Build # 24184176203

Build Type

push

github

Committed by

web-flow

Commit Message

Strip proxy headers from SigV4 signing clone (#4670)

When requests arrive through a gateway (e.g. ngrok), `X-Forwarded-*`
headers get signed by SigV4. Then `httputil.ReverseProxy.SetXForwarded()`
rewrites those values, causing AWS to reject with 401 due to signature
mismatch. Strip `X-Forwarded-For`/`Host`/`Proto`, `X-Real-Ip`, and
`Forwarded` (RFC 7239) from the signing clone before computing the
signature.

This regressed in 07918761 ("Bump Go to 1.26.0", #4040) which
refactored the transparent proxy from `httputil.NewSingleHostReverseProxy`
(using `Director`) to `&httputil.ReverseProxy{Rewrite: ...}`. The new
`Rewrite` callback calls `pr.SetXForwarded()`, which injects
`X-Forwarded-*` headers on the outbound request — something the old
`Director`-based approach did not do.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Coverage Stats

11 of 11 new or added lines in 1 file covered. (100.0%)

17 existing lines in 4 files now uncovered.

55593 of 85535 relevant lines covered (64.99%)

62.75 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.38

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 24184176203

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous