From 1b222fb5763f27808e01be1aa1026ada1ee34f3d Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Thu, 11 Dec 2025 22:15:46 +0000
Subject: [PATCH] revert to `X-Forwarded-Host` being optional;

turns out reverseproxies keeping the initial Host value is the
far more common case; requiring X-Forwarded-Host is a bad idea

partially reverts ad45de94410c6eb6259781b35445e71717e07dc0
---
 copyparty/httpcli.py | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 739e7ced..6f7a57b1 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -150,7 +150,7 @@ NO_CACHE = {"Cache-Control": "no-cache"}
 
 ALL_COOKIES = "k304 no304 js idxh dots cppwd cppws".split()
 
-BADXFF = " due to dangerous misconfiguration (the http-header specified by --xff-hdr was received from an untrusted reverse-proxy, or --xf-host is incorrect)"
+BADXFF = " due to dangerous misconfiguration (the http-header specified by --xff-hdr was received from an untrusted reverse-proxy)"
 BADXFF2 = ". Some copyparty features are now disabled as a safety measure."
 
 H_CONN_KEEPALIVE = "Connection: Keep-Alive"
@@ -446,18 +446,14 @@ class HttpCli(object):
                 else:
                     self.ip = cli_ip
                     self.log_src = self.conn.set_rproxy(self.ip)
+                    self.host = self.headers.get(self.args.xf_host, self.host)
                     try:
-                        self.host = self.headers[self.args.xf_host]
                         self.is_https = len(self.headers[self.args.xf_proto]) == 5
                     except:
                         self.bad_xff = True
-                        if self.args.xf_host not in self.headers:
-                            self.host = "example.com"
-                            t = 'got proxied request without header "%s" (global-option "xf-host"). This header must contain the true external "Host" value (the domain-name of the website). Either fix your reverse-proxy config to include this header, or change the copyparty global-option "xf-host" to another header-name to read this value from'
-                            self.log(t % (self.args.xf_host,) + BADXFF2, 3)
-                        if self.args.xf_proto not in self.headers:
-                            t = 'got proxied request without header "%s" (global-option "xf-proto"). This header must contain either "http" or "https". Either fix your reverse-proxy config to include this header, or change the copyparty global-option "xf-proto" to another header-name to read this value from'
-                            self.log(t % (self.args.xf_proto,) + BADXFF2, 3)
+                        self.host = "example.com"
+                        t = 'got proxied request without header "%s" (global-option "xf-proto"). This header must contain either "http" or "https". Either fix your reverse-proxy config to include this header, or change the copyparty global-option "xf-proto" to another header-name to read this value from'
+                        self.log(t % (self.args.xf_proto,) + BADXFF2, 3)
 
                     # the semantics of trusted_xff and bad_xff are different;
                     # trusted_xff is whether the connection came from a trusted reverseproxy,