Reverse proxy mess

Source/ProofOfConcept/Program.cs

@@ -39,20 +39,6 @@ builder.Services.AddHttpClient().AddHttpClient("InsecureClient")
             HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
     });
 
-// If you know your proxy IP(s), specify them for security.
-builder.Services.Configure<ForwardedHeadersOptions>(options =>
-{
-    options.ForwardedHeaders =
-        ForwardedHeaders.XForwardedFor |
-        ForwardedHeaders.XForwardedProto |
-        ForwardedHeaders.XForwardedHost;
-
-    // Trust specific proxy or network:
-    options.KnownProxies.Clear();
-    options.KnownNetworks.Clear();
-    options.ForwardLimit = null; // but prefer being explicit when possible
-});
-
 builder.Services
     .AddAuthentication(o =>
     {
@@ -166,8 +152,20 @@ WebApplication app = builder.Build();
 ForwardedHeadersOptions forwardedHeadersOptions = new ForwardedHeadersOptions() { ForwardedHeaders = ForwardedHeaders.All };
 forwardedHeadersOptions.KnownNetworks.Clear();
 forwardedHeadersOptions.KnownProxies.Clear();
+forwardedHeadersOptions.ForwardLimit = null;            // allow entire header chain, even if single hop
+forwardedHeadersOptions.RequireHeaderSymmetry = false;  // don’t bail if headers aren’t “perfectly” paired
+
 app.UseForwardedHeaders(forwardedHeadersOptions);
 
+// quick one-time sanity log; remove after verifying
+app.Use(async (ctx, next) =>
+{
+    Console.WriteLine($"XFP={ctx.Request.Headers["X-Forwarded-Proto"]}  " +
+                      $"XFH={ctx.Request.Headers["X-Forwarded-Host"]}  " +
+                      $"Seen={ctx.Request.Scheme}://{ctx.Request.Host}{ctx.Request.PathBase}{ctx.Request.Path}{ctx.Request.QueryString}");
+    await next();
+});
+
 if (app.Environment.IsDevelopment())
 {
     app.MapOpenApi();