ATS can be configured such that when it receives a redirect (3xx) response from an origin server, it will follow the redirect itself rather than return the response to the client.
Consider the scenario when the redirect response contains a Location header field with a destination of localhost. In a forward-proxy scenario, where the origin server is "outside" the network, redirects to the localhost are not desirable. In the reverse-proxy scenario, where the origin server is "inside" the network, redirects to localhost are generally not desirable either. Exceptions to this might be when the origin serves requests from the same host as the proxy, and as a convenience when writing functional tests such that they can exercise redirect following without the need for a local DNS setup. We are considering changing the default behavior to stop following any redirect when its destination is localhost (or its variants) when following of redirects has been enabled. A config would be added, with noticeable warnings, that would enable the former behavior and allow redirects to be followed to localhost. 1. Does this seem like a good change to make? 2. How we would handle the redirect-to-localhost case under the new behavior. Should we return a 403? A 500? Or should we return the redirect response back to the client as-is? 3. Should we add a way to configure a sort of policy for when to follow redirects and what response to return on no-follow, or should we have a simple config boolean value and a standard behavior? Looking forward to your input, -- Derek
