fix(http): honor X-Forwarded-Prefix when proxy strips the prefix#9614
Merged
mudler merged 2 commits intoMay 13, 2026
Conversation
Dennisadira
force-pushed
the
fix/x-forwarded-prefix-asset-urls
branch
from
834e876 to
8cce6da
Compare
Closes mudler#9145. Two related issues kept the React UI from loading when a reverse proxy rewrites a sub-path with prefix-stripping (e.g. Caddy `handle_path`): 1. `BaseURL` only computed a prefix from the path StripPathPrefix had removed, so when the proxy strips the prefix before forwarding, the request arrives without it and the base URL was returned without a prefix. Extract a `BasePathPrefix` helper and add an `X-Forwarded-Prefix` header fallback so the prefix is recovered. 2. `<base href>` only changes how relative URLs resolve; the build emits path-absolute references like `/assets/...` and `/favicon.svg`, which still resolve against the origin and bypass the proxy prefix. Rewrite those references in the served `index.html` so the browser requests them through the proxy. Adds unit coverage for `BaseURL` with a pre-stripped path and an end-to-end test for the proxy-stripped scenario. Assisted-by: Claude:claude-opus-4-7
…ePathPrefix BasePathPrefix consumed X-Forwarded-Prefix directly, so a value the codebase elsewhere rejects (e.g. "//evil.com") slipped through and was interpolated into the SPA index.html — both into the path-absolute asset URL rewrite in serveIndex (turning "/assets/..." into "//evil.com/assets/...", a protocol-relative URL that loads JS from a foreign origin) and into <base href>. Route the header through the existing SafeForwardedPrefix validator that StripPathPrefix and prefixRedirect already use, and HTML-escape the prefix before injecting it into the asset rewrite as defense in depth against attribute breakout. Tests cover //evil.com, backslashes, control chars, CR/LF and a missing leading slash; the integration test asserts an unsafe prefix can't poison asset URLs. Signed-off-by: Ettore Di Giacinto <[email protected]> Assisted-by: claude-code:claude-opus-4-7-1m [Read] [Edit] [Bash]
mudler
force-pushed
the
fix/x-forwarded-prefix-asset-urls
branch
from
8cce6da to
348557a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #9145.
The React UI failed to load when LocalAI was exposed through a reverse proxy that strips the matched path prefix before forwarding (e.g. Caddy's
handle_path /localai/*). Two issues combined to break this:BaseURLignoredX-Forwarded-PrefixwhenStripPathPrefixhad nothing to strip. It only computed a prefix from the request path the middleware had rewritten, so when the proxy already stripped the prefix upstream the base URL came back without one. Extracted aBasePathPrefix(c)helper and added anX-Forwarded-Prefixheader fallback so the prefix is recovered in either flow.<base href>correct, path-absolute references bypass it. Per the HTML spec, URLs starting with/resolve against the base origin, not the base path, so the="/assets/..."and="/favicon.svg"references emitted by the build went straight to the origin and bypassed the proxy prefix.serveIndexnow rewrites those references to include the prefix when one is present.Test plan
go test ./core/http/middleware/...— 19/19 specs pass, including newBaseURLcases for the pre-stripped path scenario (with and without trailing slash on the header).core/http/app_test.goasserts both<base href>and asset URLs are correct when the prefix arrives only viaX-Forwarded-Prefix.handle_pathwith the reproducer from X-Forwarded-Prefix no longer works #9145.🤖 Generated with Claude Code