From 688997017450bf614292b877f24b0a00706322af Mon Sep 17 00:00:00 2001
From: Ted Unangst <tedu@tedunangst.com>
Date: Fri, 26 Apr 2019 10:02:46 -0400
Subject: [PATCH] add a note about http sig requirements, and check that host
 header matches

---
 docs/manual.txt | 5 +++++
 zig.go          | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/docs/manual.txt b/docs/manual.txt
index 38c236e..9cbcd9d 100644
--- a/docs/manual.txt
+++ b/docs/manual.txt
@@ -60,3 +60,8 @@ with other servers via https URLs.
 
 If the proxy is configured to support caching, be mindful of the fact that
 ActivityPub requests vary based on the Accept and Content-Type headers.
+
+ActivityPub in practice uses HTTP signatures to verify requests. In order for
+this to work, the backend server must receive certain header fields
+unmodified. In particular, the Host header and the message content cannot be
+altered.
diff --git a/zig.go b/zig.go
index 0b63175..37a121f 100644
--- a/zig.go
+++ b/zig.go
@@ -26,6 +26,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"regexp"
 	"strings"
@@ -135,6 +136,9 @@ func zag(req *http.Request, content []byte) (string, error) {
 			s = strings.ToLower(req.Method) + " " + req.URL.RequestURI()
 		case "host":
 			s = req.Host
+			if s != serverName {
+				log.Printf("caution: servername host header mismatch")
+			}
 		default:
 			s = req.Header.Get(h)
 		}