Skip to content

fix(enterprise/aibridgeproxyd): stop injecting default port into forwarded Host header#26656

Merged
ssncferreira merged 1 commit into
mainfrom
fix/aibridge-proxy-host-port-mismatch
Jun 24, 2026
Merged

fix(enterprise/aibridgeproxyd): stop injecting default port into forwarded Host header#26656
ssncferreira merged 1 commit into
mainfrom
fix/aibridge-proxy-host-port-mismatch

Conversation

@ssncferreira

@ssncferreira ssncferreira commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Problem

PR #23109 introduced port normalization for the private IP blocking feature, which mutated CoderAccessURL.Host to always include the default port (e.g. coder.example.com:443). This leaked into the Host header of every request forwarded to the Coder server.

When CODER_REDIRECT_TO_ACCESS_URL=true, the redirectToAccessURL middleware compared the Host header literally against the access URL (coder.example.com), saw a mismatch, and returned a 307 redirect to the Coder dashboard HTML page.

Copilot then received HTML instead of JSON:

Failed to start MCP client: Streamable HTTP error: Unexpected content type: text/html; charset=utf-8
Failed to load custom agents: SyntaxError: Unexpected token '<', "<!doctype "... is not valid JSON

Changes

  • Stop mutating coderAccessURL.Host; store the resolved port in a separate field for isBlockedIP
  • Update existing tests that asserted the old (mutated) .Port() behavior
  • Add test cases verifying the Host is preserved with and without an explicit port

Generated with the assistance of Coder Agents on behalf of @ssncferreira

@ssncferreira ssncferreira force-pushed the fix/aibridge-proxy-host-port-mismatch branch 2 times, most recently from b4cceb4 to 863884a Compare June 24, 2026 11:26
@ssncferreira
fix(enterprise/aibridgeproxyd): stop injecting default port into forw…
12aeb84 
…arded Host header

The proxy normalized CoderAccessURL.Host to always include the default
port (e.g. coder.example.com:443). This leaked into the Host header of
every request forwarded to the Coder server. When redirectToAccessURL
was enabled, the middleware compared the Host header against the access
URL literally, saw a mismatch, and redirected to the SPA root.

Copilot then received HTML instead of JSON:

  Failed to load custom agents: SyntaxError: Unexpected token '<',
  "<!doctype "... is not valid JSON

Store the resolved port in a separate field for isBlockedIP and stop
mutating coderAccessURL.Host.
@ssncferreira ssncferreira force-pushed the fix/aibridge-proxy-host-port-mismatch branch from 863884a to 12aeb84 Compare June 24, 2026 11:33
@ssncferreira ssncferreira marked this pull request as ready for review June 24, 2026 11:33
dannykopping
dannykopping approved these changes Jun 24, 2026
View reviewed changes

@dannykopping dannykopping left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch!

@ssncferreira ssncferreira merged commit c41d219 into main Jun 24, 2026
34 of 35 checks passed
@ssncferreira ssncferreira deleted the fix/aibridge-proxy-host-port-mismatch branch June 24, 2026 12:00
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@dannykopping dannykopping dannykopping approved these changes

Assignees

@ssncferreira ssncferreira

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ssncferreira @dannykopping