1. Yes. 2. I think a 403
3. We can add more sophisticated configuration later, if there turns out to be a need. On Mon, Aug 6, 2018 at 4:48 PM Derek Dagit <der...@oath.com.invalid> wrote: > ATS can be configured such that when it receives a redirect (3xx) response > from an origin server, it will follow the redirect itself rather than > return the response to the client. > > Consider the scenario when the redirect response contains a Location header > field with a destination of localhost. > > In a forward-proxy scenario, where the origin server is "outside" the > network, redirects to the localhost are not desirable. > > In the reverse-proxy scenario, where the origin server is "inside" the > network, redirects to localhost are generally not desirable either. > Exceptions to this might be when the origin serves requests from the same > host as the proxy, and as a convenience when writing functional tests such > that they can exercise redirect following without the need for a local DNS > setup. > > > > We are considering changing the default behavior to stop following any > redirect when its destination is localhost (or its variants) when following > of redirects has been enabled. > > A config would be added, with noticeable warnings, that would enable the > former behavior and allow redirects to be followed to localhost. > > > > 1. Does this seem like a good change to make? > > 2. How we would handle the redirect-to-localhost case under the new > behavior. Should we return a 403? A 500? Or should we return the redirect > response back to the client as-is? > > 3. Should we add a way to configure a sort of policy for when to follow > redirects and what response to return on no-follow, or should we have a > simple config boolean value and a standard behavior? > > > Looking forward to your input, > > -- > Derek > -- *Beware the fisherman who's casting out his line in to a dried up riverbed.* *Oh don't try to tell him 'cause he won't believe. Throw some bread to the ducks instead.* *It's easier that way. *- Genesis : Duke : VI 25-28
