Restrict subdomain preservation to same-domain proxy configs

namedgraph · claude · namedgraph · commit 75425ad6a38d · 2026-03-29T23:50:18.000+02:00
The previous fix unconditionally prepended the subdomain prefix to
proxyHost, which broke dev setups using an internal proxy hostname
(e.g. PROXY_HOST=nginx): admin.localhost was rewritten to admin.nginx
instead of nginx, which doesn't resolve in Docker.

Only preserve the subdomain when proxyHost equals host (the production
case where both are the same domain). In that case the HTTP client would
otherwise reuse an existing connection with SNI=host for the subdomain
request, causing nginx to return 421 Misdirected Request.

Update test to reflect the correct behaviour for the internal-proxy case.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java b/src/main/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilter.java
@@ -70,9 +70,11 @@ public void filter(ClientRequestContext cr) throws IOException
         String newScheme = cr.getUri().getScheme();
         if (getProxyScheme() != null) newScheme = getProxyScheme();
 
-        // Preserve subdomain prefix to avoid HTTP client connection pool conflating subdomain and base domain connections
+        // Preserve subdomain prefix only when proxyHost is the same domain as host, to prevent
+        // the HTTP client reusing a connection with a different TLS SNI (which causes 421).
+        // When proxyHost is a distinct internal hostname (e.g. "nginx"), no collision is possible.
         String newHost = getProxyHost();
-        if (cr.getUri().getHost().endsWith("." + getHost()))
+        if (cr.getUri().getHost().endsWith("." + getHost()) && getProxyHost().equals(getHost()))
         {
             String subdomainPrefix = cr.getUri().getHost().substring(0, cr.getUri().getHost().length() - getHost().length()); // e.g. "admin."
             newHost = subdomainPrefix + getProxyHost();
diff --git a/src/test/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilterTest.java b/src/test/java/com/atomgraph/linkeddatahub/client/filter/ClientUriRewriteFilterTest.java
@@ -135,15 +135,16 @@ public void testRewriteSubdomainPreservesSubdomainWithSameDomainProxy() throws I
 
     /**
      * Subdomain match with internal proxy host (Docker Compose setup):
-     * subdomain prefix is prepended to the proxy hostname for nginx virtual-host routing.
+     * subdomain prefix must NOT be prepended to the proxy hostname — the internal
+     * hostname (e.g. "nginx") has no subdomain equivalent. nginx routes via Host header.
      */
     @Test
-    public void testRewriteSubdomainPreservesSubdomainWithInternalProxy() throws IOException
+    public void testRewriteSubdomainWithInternalProxyUsesProxyHostOnly() throws IOException
     {
         ClientUriRewriteFilter filter = new ClientUriRewriteFilter("example.com", "http", "nginx", 9443);
         StubRequestContext ctx = new StubRequestContext(URI.create("https://admin.example.com/path"));
         filter.filter(ctx);
-        assertEquals(URI.create("http://admin.nginx:9443/path"), ctx.getUri());
+        assertEquals(URI.create("http://nginx:9443/path"), ctx.getUri());
         assertEquals("admin.example.com", ctx.getHeaders().getFirst("Host"));
     }
 
