HI, Maybe we should consider extending the URL construction logic to include checks for the X-Forwarded-Server header, in addition to X-Forwarded-Host and X-Forwarded-Proto. This would offer a more comprehensive way to determine the original server and scheme, particularly in scenarios where the application is behind a proxy.
What are your thoughts on this approach? Arturo On Tue, Oct 3, 2023 at 6:41 PM Arturo Bernal <aber...@apache.org> wrote: > Hi Team, > > I hope this email finds you well. I am writing to open a discussion on the > issue JSPWIKI-1056 <https://issues.apache.org/jira/browse/JSPWIKI-1056>, > which concerns the generation of relative URLs in email notifications sent > after user registration. > > As some of you may know, the emails currently contain relative URLs due to > changes in JSPWIKI-1035 > <https://issues.apache.org/jira/browse/JSPWIKI-1035>. I have submitted a > pull request (PR #311 <https://github.com/apache/jspwiki/pull/311>) that > aims to address this by generating absolute URLs. The PR introduces utility > methods in HttpUtil for this purpose. > > However, there are concerns about how this approach handles different > deployment scenarios, especially when JSPWiki installations are behind a > web server like Apache. The issue is that using HttpServletRequest to > generate the URL could expose internal URLs, which is not intended. > > I would like to invite your thoughts on how best to tackle this issue. > Some options include: > > 1. Checking for specific headers that might contain the "external" > IP/domain. > 2. Introducing a new configuration option to set the base URL > explicitly. > > I look forward to your input on this matter. Your expertise and insights > would be invaluable in finding the most robust and flexible solution. > > Best regards, > > Arturo >
