fix: correct adjacent server URL rewriting when behind a reverse proxy/load balancer#989
Open
sujen1412 wants to merge 2 commits into
Open
Conversation
…y/load balancer When MMGIS is deployed behind a load balancer (e.g. AWS ALB) that terminates SSL, adjacent services like stac-fastapi receive requests with changeOrigin rewriting the Host header to the internal Docker service name (e.g. stac-fastapi). The service then builds self-referencing URLs using that internal hostname, and the existing replaceAll in createSwaggerInterceptor only matched the explicit http://service:port target string — missing variants like https://stac-fastapi/ produced when the service picks up X-Forwarded-Proto from the ALB. - Add proxyReq handler to the STAC proxy that forwards X-Forwarded-Host and X-Forwarded-Proto to the upstream service, so it can build correct public URLs - Broaden createSwaggerInterceptor URL replacement to catch all hostname variants (http/https, with or without port) using the service hostname extracted from the target URL Fixes NASA-AMMOS#753
tariqksoliman
requested changes
May 28, 2026
- Fix greedy hostname replacement bug: add port-qualified patterns before bare hostname patterns so https://service:port/path is fully replaced before the bare https://service pattern can partially match it - Refactor replacement block to use a publicBase variable to reduce repetition - Extend proxyReq X-Forwarded-Host/Proto forwarding to tipg, titiler, and titiler-pgstac proxies (not just stac)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #753
When MMGIS is deployed behind a load balancer that terminates SSL (e.g. AWS ALB), adjacent services like
stac-fastapireceive proxied requests wherechangeOrigin: truerewrites theHostheader to the internal Docker service name (e.g.stac-fastapi). The upstream service then builds self-referencing URLs using that internal hostname.The existing
replaceAllincreateSwaggerInterceptoronly matched the explicithttp://service:porttarget string — but when the upstream service also picks upX-Forwarded-Proto: httpsfrom the ALB (passed through unchanged by the proxy), it generates URLs likehttps://stac-fastapi/collectionsinstead ofhttp://stac-fastapi:8881/collections. This variant was never matched, so internal hostnames leaked through to clients.Changes
proxyReqhandler on the STAC proxy: forwardsX-Forwarded-Host(the real public hostname) andX-Forwarded-Prototo the upstream service, so it can natively build correct public URLs when configured with--proxy-headerscreateSwaggerInterceptor: extracts the service hostname from the target URL and replaces all variants (http://,https://, with and without port) as a reliable fallback for any upstream serviceTesting
Verified on a deployment behind an AWS ALB with
stac-fastapi-pgstac. Before the fix, STAC catalog responses containedhttps://stac-fastapi/collections. After the fix, responses correctly containhttps://<public-domain>/stac/collections.For
stac-fastapi, also add the following flags to the uvicorn command so it trusts the forwarded headers: