Add AppContext switch in patch release to opt-out of breaking behavior change in ForwardedHeaders middleware. (#62687)

BrennanConroy · web-flow · commit 0db16464937f · 2025-07-14T14:39:27.000-07:00
* Add AppContext switch in patch release to opt-out of breaking behavior change in ForwardedHeaders middleware.

* env
diff --git a/src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs b/src/Middleware/HttpOverrides/src/ForwardedHeadersMiddleware.cs
@@ -21,6 +21,7 @@ public class ForwardedHeadersMiddleware
     private readonly ForwardedHeadersOptions _options;
     private readonly RequestDelegate _next;
     private readonly ILogger _logger;
+    private readonly bool _ignoreUnknownProxiesWithoutFor;
     private bool _allowAllHosts;
     private IList<StringSegment>? _allowedHosts;
 
@@ -63,6 +64,18 @@ public ForwardedHeadersMiddleware(RequestDelegate next, ILoggerFactory loggerFac
         _logger = loggerFactory.CreateLogger<ForwardedHeadersMiddleware>();
         _next = next;
 
+        if (AppContext.TryGetSwitch("Microsoft.AspNetCore.HttpOverrides.IgnoreUnknownProxiesWithoutFor", out var enabled)
+            && enabled)
+        {
+            _ignoreUnknownProxiesWithoutFor = true;
+        }
+
+        if (Environment.GetEnvironmentVariable("MICROSOFT_ASPNETCORE_HTTPOVERRIDES_IGNORE_UNKNOWN_PROXIES_WITHOUT_FOR") is string env
+            && (env.Equals("true", StringComparison.OrdinalIgnoreCase) || env.Equals("1")))
+        {
+            _ignoreUnknownProxiesWithoutFor = true;
+        }
+
         PreProcessHosts();
     }
 
@@ -220,15 +233,20 @@ public void ApplyForwarders(HttpContext context)
         for (; entriesConsumed < sets.Length; entriesConsumed++)
         {
             var set = sets[entriesConsumed];
-            // For the first instance, allow remoteIp to be null for servers that don't support it natively.
-            if (currentValues.RemoteIpAndPort != null && checkKnownIps && !CheckKnownAddress(currentValues.RemoteIpAndPort.Address))
+            // Opt-out of breaking change behavior where we now always check KnownProxies and KnownNetworks
+            // It used to be guarded by the ForwardedHeaders.XForwardedFor flag, but now we always check it.
+            if (!_ignoreUnknownProxiesWithoutFor || checkFor)
             {
-                // Stop at the first unknown remote IP, but still apply changes processed so far.
-                if (_logger.IsEnabled(LogLevel.Debug))
+                // For the first instance, allow remoteIp to be null for servers that don't support it natively.
+                if (currentValues.RemoteIpAndPort != null && checkKnownIps && !CheckKnownAddress(currentValues.RemoteIpAndPort.Address))
                 {
-                    _logger.LogDebug(1, "Unknown proxy: {RemoteIpAndPort}", currentValues.RemoteIpAndPort);
+                    // Stop at the first unknown remote IP, but still apply changes processed so far.
+                    if (_logger.IsEnabled(LogLevel.Warning))
+                    {
+                        _logger.LogWarning(1, "Unknown proxy: {RemoteIpAndPort}", currentValues.RemoteIpAndPort);
+                    }
+                    break;
                 }
-                break;
             }
 
             if (checkFor)
diff --git a/src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs b/src/Middleware/HttpOverrides/test/ForwardedHeadersMiddlewareTest.cs
@@ -7,6 +7,7 @@
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.TestHost;
+using Microsoft.DotNet.RemoteExecutor;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 
@@ -1035,6 +1036,128 @@ public async Task IgnoreXForwardedHeadersFromUnknownProxy(ForwardedHeaders forwa
         }
     }
 
+    [Theory]
+    [InlineData(ForwardedHeaders.XForwardedFor)]
+    [InlineData(ForwardedHeaders.XForwardedHost)]
+    [InlineData(ForwardedHeaders.XForwardedProto)]
+    [InlineData(ForwardedHeaders.XForwardedPrefix)]
+    public void AppContextDoesNotValidateUnknownProxyWithoutForwardedFor(ForwardedHeaders forwardedHeaders)
+    {
+        RemoteExecutor.Invoke(static async (forwardedHeadersName) =>
+        {
+            Assert.True(Enum.TryParse<ForwardedHeaders>(forwardedHeadersName, out var forwardedHeaders));
+            AppContext.SetSwitch("Microsoft.AspNetCore.HttpOverrides.IgnoreUnknownProxiesWithoutFor", true);
+            using var host = new HostBuilder()
+            .ConfigureWebHost(webHostBuilder =>
+            {
+                webHostBuilder
+                .UseTestServer()
+                .Configure(app =>
+                {
+                    var options = new ForwardedHeadersOptions
+                    {
+                        ForwardedHeaders = forwardedHeaders
+                    };
+                    app.UseForwardedHeaders(options);
+                });
+            }).Build();
+
+            await host.StartAsync();
+
+            var server = host.GetTestServer();
+
+            var context = await server.SendAsync(c =>
+            {
+                c.Request.Headers["X-Forwarded-For"] = "11.111.111.11";
+                c.Request.Headers["X-Forwarded-Host"] = "testhost";
+                c.Request.Headers["X-Forwarded-Proto"] = "Protocol";
+                c.Request.Headers["X-Forwarded-Prefix"] = "/pathbase";
+                c.Connection.RemoteIpAddress = IPAddress.Parse("10.0.0.1");
+                c.Connection.RemotePort = 99;
+            });
+
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedFor))
+            {
+                // X-Forwarded-For ignored since 10.0.0.1 isn't in KnownProxies
+                Assert.Equal("10.0.0.1", context.Connection.RemoteIpAddress.ToString());
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedHost))
+            {
+                Assert.Equal("testhost", context.Request.Host.ToString());
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedProto))
+            {
+                Assert.Equal("Protocol", context.Request.Scheme);
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedPrefix))
+            {
+                Assert.Equal("/pathbase", context.Request.PathBase);
+            }
+            return RemoteExecutor.SuccessExitCode;
+        }, forwardedHeaders.ToString()).Dispose();
+    }
+
+    [Theory]
+    [InlineData(ForwardedHeaders.XForwardedFor)]
+    [InlineData(ForwardedHeaders.XForwardedHost)]
+    [InlineData(ForwardedHeaders.XForwardedProto)]
+    [InlineData(ForwardedHeaders.XForwardedPrefix)]
+    public void EnvVariableDoesNotValidateUnknownProxyWithoutForwardedFor(ForwardedHeaders forwardedHeaders)
+    {
+        RemoteExecutor.Invoke(static async (forwardedHeadersName) =>
+        {
+            Assert.True(Enum.TryParse<ForwardedHeaders>(forwardedHeadersName, out var forwardedHeaders));
+            Environment.SetEnvironmentVariable("MICROSOFT_ASPNETCORE_HTTPOVERRIDES_IGNORE_UNKNOWN_PROXIES_WITHOUT_FOR", "true");
+            using var host = new HostBuilder()
+            .ConfigureWebHost(webHostBuilder =>
+            {
+                webHostBuilder
+                .UseTestServer()
+                .Configure(app =>
+                {
+                    var options = new ForwardedHeadersOptions
+                    {
+                        ForwardedHeaders = forwardedHeaders
+                    };
+                    app.UseForwardedHeaders(options);
+                });
+            }).Build();
+
+            await host.StartAsync();
+
+            var server = host.GetTestServer();
+
+            var context = await server.SendAsync(c =>
+            {
+                c.Request.Headers["X-Forwarded-For"] = "11.111.111.11";
+                c.Request.Headers["X-Forwarded-Host"] = "testhost";
+                c.Request.Headers["X-Forwarded-Proto"] = "Protocol";
+                c.Request.Headers["X-Forwarded-Prefix"] = "/pathbase";
+                c.Connection.RemoteIpAddress = IPAddress.Parse("10.0.0.1");
+                c.Connection.RemotePort = 99;
+            });
+
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedFor))
+            {
+                // X-Forwarded-For ignored since 10.0.0.1 isn't in KnownProxies
+                Assert.Equal("10.0.0.1", context.Connection.RemoteIpAddress.ToString());
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedHost))
+            {
+                Assert.Equal("testhost", context.Request.Host.ToString());
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedProto))
+            {
+                Assert.Equal("Protocol", context.Request.Scheme);
+            }
+            if (forwardedHeaders.HasFlag(ForwardedHeaders.XForwardedPrefix))
+            {
+                Assert.Equal("/pathbase", context.Request.PathBase);
+            }
+            return RemoteExecutor.SuccessExitCode;
+        }, forwardedHeaders.ToString()).Dispose();
+    }
+
     [Fact]
     public async Task PartiallyEnabledForwardsPartiallyChangesRequest()
     {
