include referer header in remote requests

this is an optional feature which is disabled by default, since it is
only needed in a few select cases and risks accidentally exposing
internal URLs.

Fixes willnorris#216

cmd/imageproxy/main.go

@@ -46,6 +46,7 @@ var addr = flag.String("addr", "localhost:8080", "TCP address to listen on")
 var allowHosts = flag.String("allowHosts", "", "comma separated list of allowed remote hosts")
 var denyHosts = flag.String("denyHosts", "", "comma separated list of denied remote hosts")
 var referrers = flag.String("referrers", "", "comma separated list of allowed referring hosts")
+var includeReferer = flag.Bool("includeReferer", false, "include referer header in remote requests")
 var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs")
 var cache tieredCache
 var signatureKeys signatureKeyList
@@ -87,6 +88,7 @@ func main() {
 		}
 	}
 
+	p.IncludeReferer = *includeReferer
 	p.Timeout = *timeout
 	p.ScaleUp = *scaleUp
 	p.Verbose = *verbose

docs/changelog.md

@@ -7,6 +7,8 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 [Unreleased]: https://github.com/willnorris/imageproxy/compare/v0.9.0...HEAD
+ - added option to include referer header in remote requests
+   ([#216](https://github.com/willnorris/imageproxy/issues/216))
 
 ## [0.9.0] (2019-06-10)
 [0.9.0]: https://github.com/willnorris/imageproxy/compare/v0.8.0...v0.9.0

imageproxy.go

@@ -56,6 +56,10 @@ type Proxy struct {
 	// hosts are allowed.
 	Referrers []string
 
+	// IncludeReferer controls whether the original Referer request header
+	// is included in remote requests.
+	IncludeReferer bool
+
 	// DefaultBaseURL is the URL that relative remote URLs are resolved in
 	// reference to.  If nil, all remote URLs specified in requests must be
 	// absolute.
@@ -166,6 +170,10 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 	if len(p.ContentTypes) != 0 {
 		actualReq.Header.Set("Accept", strings.Join(p.ContentTypes, ", "))
 	}
+	if p.IncludeReferer {
+		// pass along the referer header from the original request
+		copyHeader(actualReq.Header, r.Header, "referer")
+	}
 	resp, err := p.Client.Do(actualReq)
 
 	if err != nil {