Skip to content

fix: WebSocket proxy to respect PassHostHeader setting #3290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tuunit merged 2 commits into from
Jan 16, 2026
Merged

fix: WebSocket proxy to respect PassHostHeader setting #3290

tuunit merged 2 commits into from
Jan 16, 2026
+55 −6

Conversation

@UnsignedLong
Copy link
Contributor

@UnsignedLong UnsignedLong commented Dec 17, 2025
edited by tuunit
Loading

Description

This PR fixes a bug where WebSocket connections fail when pass_host_header is set to false. The WebSocket proxy was not respecting this configuration setting, while the regular HTTP proxy does.

The fix ensures the WebSocket proxy respects the PassHostHeader configuration by:

  • Adding passHostHeader parameter to newWebSocketReverseProxy()
  • Applying setProxyUpstreamHostHeader() when PassHostHeader=false
  • Ensuring consistent behavior between HTTP and WebSocket proxies

Motivation and Context

When pass_host_header=false is configured, regular HTTP requests correctly set the Host header to the upstream backend URL. However, WebSocket upgrade requests retain the original request host, causing failures when backend services validate the Host header (e.g., Google Cloud Run, Kubernetes ingress, strict reverse proxies).

This inconsistency breaks WebSocket functionality for deployments using:

  • pass_host_header=false
  • proxy_websockets=true
  • Backends that validate the Host header

Fixes #3288

How Has This Been Tested?

Tested in production with:

  • OAuth2-proxy version: master branch and implemented the proposed changes
  • Backend: Google Cloud Run with websocket application (Cloud Run uses Host header to route traffic to the correct backend)
  • Configuration: pass_host_header=false

Test results:

  • Regular HTTP requests work correctly
  • WebSocket connections successfully establish
  • WebSocket connections remain stable
  • Backend receives correct Host header for both HTTP and WebSocket requests

Checklist:

  • My change requires a change to the documentation or CHANGELOG.
  • I have updated the documentation/CHANGELOG accordingly.
  • I have created a feature (non-master) branch for my PR.
  • I have written tests for my code changes.

@UnsignedLong UnsignedLong requested a review from a team as a code owner December 17, 2025 11:02
@github-actions github-actions bot added the go label Dec 17, 2025
@UnsignedLong UnsignedLong force-pushed the fix/websocket-passHostHeader branch 2 times, most recently from a704ca2 to 2f1b81f Compare December 17, 2025 11:12
tuunit
tuunit requested changes Jan 14, 2026
View reviewed changes
Copy link
Member

@tuunit tuunit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a unit test for this changed behaviour and a CHANGELOG.md entry :)

@tuunit tuunit changed the title Fix WebSocket proxy to respect PassHostHeader setting fix: WebSocket proxy to respect PassHostHeader setting Jan 14, 2026
@UnsignedLong UnsignedLong requested a review from tuunit January 16, 2026 10:53
@UnsignedLong @tuunit
Fix WebSocket proxy to respect PassHostHeader setting
a5453c7 
When PassHostHeader is set to false, the regular HTTP proxy correctly
sets the Host header to the upstream backend URL. However, the WebSocket
proxy was not respecting this setting, causing WebSocket connections to
fail when backend services validate the Host header.

This commit:
- Adds passHostHeader parameter to newWebSocketReverseProxy()
- Applies setProxyUpstreamHostHeader() when PassHostHeader=false
- Ensures consistent behavior between HTTP and WebSocket proxies

Fixes oauth2-proxy#3288

Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
@UnsignedLong @tuunit
chore(): add tests, update changelog
1e5d396 
Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
@tuunit tuunit force-pushed the fix/websocket-passHostHeader branch from 591e100 to 1e5d396 Compare January 16, 2026 19:24
@tuunit tuunit merged commit 1d6721f into oauth2-proxy:master Jan 16, 2026
4 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jan 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tuunit tuunit tuunit approved these changes

Assignees

No one assigned

Labels

docs go tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: WebSocket proxy ignores pass_host_header=false setting

2 participants

@UnsignedLong @tuunit