Middleware rewrite incorrectly sets x-forwarded-host header.
The issue reports that Next.js middleware rewrites incorrectly set the x-forwarded-host header when performing URL rewrites. The expected behavior is to preserve the original host in this header, but it's currently being overwritten with the destination host. This requires investigation into the middleware rewrite logic and header handling.
https://github.com/hector/middleware-web
The basic code to trigger this bug is simply to use a rewrite in the middleware of Next.js like this:
return NextResponse.rewrite(url, { request: req });
If you click on this link https://middleware-web.vercel.app/?rewrite=https://request-headers-web.vercel.app/ you are reproducing this issue.
This is what is happening:
Code of https://middleware-web.vercel.app/ is public in this repo https://github.com/hector/middleware-web Code of https://request-headers-web.vercel.app/ is public in this repo https://github.com/hector/request-headers-web
I would expect to receive the following headers in https://request-headers-web.vercel.app/ server:
This is what I is actually received (it is printed in the page and can be easily seen):
The header x-forwarded-host is not set to the original host before the rewrite. MDN Reference here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host.
Operating System:
Platform: darwin
Arch: arm64
Version: Darwin Kernel Version 22.6.0: Mon Apr 22 20:51:27 PDT 2024; root:xnu-8796.141.3.705.2~1/RELEASE_ARM64_T6020
Available memory (MB): 16384
Available CPU cores: 10
Binaries:
Node: 20.13.1
npm: 10.5.2
Yarn: 1.22.22
pnpm: 9.3.0
Relevant Packages:
next: 15.0.0-canary.54 // L
Claim this issue to let others know you're working on it. You'll earn 20 points when you complete it!