OAuth, reverse proxy, real port number

[fedy85]

Hi everyone,

i am running Roundcube 1.6.11 within mailcow docker container, having nginx proxy in front of it. First i've successfully configured roundcube-oauth plugin, which uses HTTP_X_FORWARDED_PORT for redirect_uri composition (if present). Ofcourse I would like to use native Roundcube OAuth support, but it composes the redirect_uri using $_SERVER['SERVER_PORT'] as can be seen in

roundcubemail/program/lib/Roundcube/rcube_utils.php

Line 1527 in a0d0f5e

$port = $_SERVER['SERVER_PORT'] ?? 0;

i think this could be enough to solve it (patch for version 1.6.11)

--- rcube_utils.php     2025-08-06 20:53:12.181573967 +0200
+++ rcube_utils.php.new 2025-08-06 20:51:15.692310219 +0200
@@ -1535,6 +1535,7 @@

             $host = $_SERVER['HTTP_HOST'] ?? '';
             $port = $_SERVER['SERVER_PORT'] ?? 0;
+            $port = $_SERVER['HTTP_X_FORWARDED_PORT'] ?? $port;

             $prefix = $schema . '://' . preg_replace('/:\d+$/', '', $host);
             if ($port && $port != $default_port && $port != 80) {

[alecpl]

Maybe it would make sense to use X-Forwarded-Port, but with self::check_proxy_whitelist_ip() check.

See also #9868.

[valpackett]

I hacked around this by setting $_SERVER['SERVER_PORT'] = 443; in the config (heh), but yes, definitely do accept X-Forwarded-Port from trusted proxies

[alecpl]

Something like this:

--- a/program/lib/Roundcube/rcube_utils.php
+++ b/program/lib/Roundcube/rcube_utils.php
@@ -1526,6 +1526,10 @@ class rcube_utils
             $host = $_SERVER['HTTP_HOST'] ?? '';
             $port = $_SERVER['SERVER_PORT'] ?? 0;
 
+            if (!empty($_SERVER['HTTP_X_FORWARDED_PORT']) && self::check_proxy_whitelist_ip()) {
+                $port = (int) $_SERVER['HTTP_X_FORWARDED_PORT'];
+            }
+
             $prefix = $schema . '://' . preg_replace('/:\d+$/', '', $host);
             if ($port && $port != $default_port && $port != 80) {
                 $prefix .= ':' . $port;

[alecpl]

It ended up being a bigger change. Done.