Note: you may get the impression this is proxy’s fault, but it isn’t. Host: registry.npmjs.org:443 is, although unusual, a valid HTTP request. (Host: registry.npmjs.org is usual.) It’s NPM registry that is in violation of HTTP standard here.
That is kinda weird/interesting. If browsers did report the port, I could see mismatched Host header vs real port when behind a load balancer (typically handled by the load balancer adding X-Forwarded-For headers). But most browsers probably don’t do this, unless it’s a totally non-standard port?
You can also mismatch TLS Server Name Indication and Host header. For example, nginx treats TLS and HTTP separately so it does not care if it mismatches.
I am most curious why the response to an “invalid” host header would be a 418 error.
Note: you may get the impression this is proxy’s fault, but it isn’t.
Host: registry.npmjs.org:443is, although unusual, a valid HTTP request. (Host: registry.npmjs.orgis usual.) It’s NPM registry that is in violation of HTTP standard here.Huh, interesting, I definitely would have assumed that it would only include the “host”, but you’re totally right:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23
That is kinda weird/interesting. If browsers did report the port, I could see mismatched Host header vs real port when behind a load balancer (typically handled by the load balancer adding X-Forwarded-For headers). But most browsers probably don’t do this, unless it’s a totally non-standard port?
You can also mismatch TLS Server Name Indication and Host header. For example, nginx treats TLS and HTTP separately so it does not care if it mismatches.