pomerium / pomerium / 24363732410
52%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 691
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 45.459% (+0.02%) from 45.443%
24363732410

push

github

web-flow 
routes: append X-Forwarded-Host when host rewrite is active (#6264)

## Summary

- switch the implementation from a Pomerium-specific original-host
header to Envoy's native `X-Forwarded-Host` handling
- append `X-Forwarded-Host` whenever host rewrite is active, including
the default auto-rewrite path and explicit literal/header/regex rewrites
- skip generation when `preserve_host_header: true` or when
`remove_request_headers` already removes `x-forwarded-host`
- add runtime acceptance coverage for explicit rewrite, default auto
rewrite, preserve-host, and opt-out behavior
- update the docs in `pomerium/documentation` on
`bdd/docs-original-host-header`

## Why

The earlier iteration introduced a custom `x-pomerium-original-host`
header. This revision aligns the feature with the standard header
applications already understand, reuses Envoy's built-in request
processing, and keeps the existing escape hatch through
`remove_request_headers`.

## Behavior

- `X-Forwarded-Host` is only appended when host rewrite is active.
- `preserve_host_header: true` leaves the original host untouched and
does not append `X-Forwarded-Host`.
- `remove_request_headers: [x-forwarded-host]` disables generation and
strips any inbound client-supplied value before the upstream request.

## Testing

- `make build`
- `make test`
- `make lint`
- `go test ./config/envoyconfig -run
'TestTimeouts|TestBuilder_buildMainRouteConfiguration|Test_buildPolicyRoutesRewrite|Test_setHostRewriteOptions'`
- `cd internal/acceptance/browser && npx playwright test
tests/headers/forwarded-host.spec.ts`

## AI Assistance

- Codex helped rework the implementation from the earlier custom-header
approach to Envoy-native `X-Forwarded-Host`, added acceptance coverage,
tightened the unit tests, and drafted this PR description.
- I manually reviewed the design, verified the runtime behavior in the
acceptance harness, reran build/test/lint, and incorporated Claude
review feedback before pushing.

19 of 19 new or added lines in 1 file covered. (100.0%)

16 existing lines in 4 files now uncovered.

35127 of 77271 relevant lines covered (45.46%)

114.12 hits per line

Coverage Regressions

Lines Coverage File
7
72.3
 -4.73% pkg/grpcutil/client_manager.go
4
74.26
 -1.18% internal/databroker/config_source.go
4
77.57
 -1.06% pkg/storage/postgres/backend.go
1
57.49
 -0.25% internal/controlplane/server.go
Jobs
ID Job ID Ran Files Coverage
1 24363732410.1 691
45.46
 GitHub Action Run
Source Files on build 24363732410