8d2dcd
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
8d2dcd
index 3d5b220..ec9a414 100644
8d2dcd
--- a/modules/proxy/proxy_util.c
8d2dcd
+++ b/modules/proxy/proxy_util.c
8d2dcd
@@ -3621,12 +3621,14 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
                                             char **old_cl_val,
8d2dcd
                                             char **old_te_val)
8d2dcd
 {
8d2dcd
+    int rc = OK;
8d2dcd
     conn_rec *c = r->connection;
8d2dcd
     int counter;
8d2dcd
     char *buf;
8d2dcd
+    apr_table_t *saved_headers_in = r->headers_in;
8d2dcd
+    const char *saved_host = apr_table_get(saved_headers_in, "Host");
8d2dcd
     const apr_array_header_t *headers_in_array;
8d2dcd
     const apr_table_entry_t *headers_in;
8d2dcd
-    apr_table_t *saved_headers_in;
8d2dcd
     apr_bucket *e;
8d2dcd
     int do_100_continue;
8d2dcd
     conn_rec *origin = p_conn->connection;
8d2dcd
@@ -3662,6 +3664,52 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
     ap_xlate_proto_to_ascii(buf, strlen(buf));
8d2dcd
     e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc);
8d2dcd
     APR_BRIGADE_INSERT_TAIL(header_brigade, e);
8d2dcd
+
8d2dcd
+    /*
8d2dcd
+     * Make a copy on r->headers_in for the request we make to the backend,
8d2dcd
+     * modify the copy in place according to our configuration and connection
8d2dcd
+     * handling, use it to fill in the forwarded headers' brigade, and finally
8d2dcd
+     * restore the saved/original ones in r->headers_in.
8d2dcd
+     *
8d2dcd
+     * Note: We need to take r->pool for apr_table_copy as the key / value
8d2dcd
+     * pairs in r->headers_in have been created out of r->pool and
8d2dcd
+     * p might be (and actually is) a longer living pool.
8d2dcd
+     * This would trigger the bad pool ancestry abort in apr_table_copy if
8d2dcd
+     * apr is compiled with APR_POOL_DEBUG.
8d2dcd
+     *
8d2dcd
+     * icing: if p indeed lives longer than r->pool, we should allocate
8d2dcd
+     * all new header values from r->pool as well and avoid leakage.
8d2dcd
+     */
8d2dcd
+    r->headers_in = apr_table_copy(r->pool, saved_headers_in);
8d2dcd
+
8d2dcd
+    /* Return the original Transfer-Encoding and/or Content-Length values
8d2dcd
+     * then drop the headers, they must be set by the proxy handler based
8d2dcd
+     * on the actual body being forwarded.
8d2dcd
+     */
8d2dcd
+    if ((*old_te_val = (char *)apr_table_get(r->headers_in,
8d2dcd
+                                             "Transfer-Encoding"))) {
8d2dcd
+        apr_table_unset(r->headers_in, "Transfer-Encoding");
8d2dcd
+    }
8d2dcd
+    if ((*old_cl_val = (char *)apr_table_get(r->headers_in,
8d2dcd
+                                             "Content-Length"))) {
8d2dcd
+        apr_table_unset(r->headers_in, "Content-Length");
8d2dcd
+    }
8d2dcd
+
8d2dcd
+    /* Clear out hop-by-hop request headers not to forward */
8d2dcd
+    if (ap_proxy_clear_connection(r, r->headers_in) < 0) {
8d2dcd
+        rc = HTTP_BAD_REQUEST;
8d2dcd
+        goto cleanup;
8d2dcd
+    }
8d2dcd
+
8d2dcd
+    /* RFC2616 13.5.1 says we should strip these */
8d2dcd
+    apr_table_unset(r->headers_in, "Keep-Alive");
8d2dcd
+    apr_table_unset(r->headers_in, "Upgrade");
8d2dcd
+    apr_table_unset(r->headers_in, "Trailer");
8d2dcd
+    apr_table_unset(r->headers_in, "TE");
8d2dcd
+
8d2dcd
+    /* We used to send `Host: ` always first, so let's keep it that
8d2dcd
+     * way. No telling which legacy backend is relying no this.
8d2dcd
+     */
8d2dcd
     if (dconf->preserve_host == 0) {
8d2dcd
         if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */
8d2dcd
             if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) {
8d2dcd
@@ -3683,7 +3731,7 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
         /* don't want to use r->hostname, as the incoming header might have a
8d2dcd
          * port attached
8d2dcd
          */
8d2dcd
-        const char* hostname = apr_table_get(r->headers_in,"Host");
8d2dcd
+        const char* hostname = saved_host;
8d2dcd
         if (!hostname) {
8d2dcd
             hostname =  r->server->server_hostname;
8d2dcd
             ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01092)
8d2dcd
@@ -3697,21 +3745,7 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
     ap_xlate_proto_to_ascii(buf, strlen(buf));
8d2dcd
     e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc);
8d2dcd
     APR_BRIGADE_INSERT_TAIL(header_brigade, e);
8d2dcd
-
8d2dcd
-    /*
8d2dcd
-     * Save the original headers in here and restore them when leaving, since
8d2dcd
-     * we will apply proxy purpose only modifications (eg. clearing hop-by-hop
8d2dcd
-     * headers, add Via or X-Forwarded-* or Expect...), whereas the originals
8d2dcd
-     * will be needed later to prepare the correct response and logging.
8d2dcd
-     *
8d2dcd
-     * Note: We need to take r->pool for apr_table_copy as the key / value
8d2dcd
-     * pairs in r->headers_in have been created out of r->pool and
8d2dcd
-     * p might be (and actually is) a longer living pool.
8d2dcd
-     * This would trigger the bad pool ancestry abort in apr_table_copy if
8d2dcd
-     * apr is compiled with APR_POOL_DEBUG.
8d2dcd
-     */
8d2dcd
-    saved_headers_in = r->headers_in;
8d2dcd
-    r->headers_in = apr_table_copy(r->pool, saved_headers_in);
8d2dcd
+    apr_table_unset(r->headers_in, "Host");
8d2dcd
 
8d2dcd
     /* handle Via */
8d2dcd
     if (conf->viaopt == via_block) {
8d2dcd
@@ -3778,8 +3812,6 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
      */
8d2dcd
     if (dconf->add_forwarded_headers) {
8d2dcd
         if (PROXYREQ_REVERSE == r->proxyreq) {
8d2dcd
-            const char *buf;
8d2dcd
-
8d2dcd
             /* Add X-Forwarded-For: so that the upstream has a chance to
8d2dcd
              * determine, where the original request came from.
8d2dcd
              */
8d2dcd
@@ -3789,8 +3821,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
             /* Add X-Forwarded-Host: so that upstream knows what the
8d2dcd
              * original request hostname was.
8d2dcd
              */
8d2dcd
-            if ((buf = apr_table_get(r->headers_in, "Host"))) {
8d2dcd
-                apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf);
8d2dcd
+            if (saved_host) {
8d2dcd
+                apr_table_mergen(r->headers_in, "X-Forwarded-Host",
8d2dcd
+                                 saved_host);
8d2dcd
             }
8d2dcd
 
8d2dcd
             /* Add X-Forwarded-Server: so that upstream knows what the
8d2dcd
@@ -3802,10 +3835,27 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
         }
8d2dcd
     }
8d2dcd
 
8d2dcd
+    /* Do we want to strip Proxy-Authorization ?
8d2dcd
+     * If we haven't used it, then NO
8d2dcd
+     * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
8d2dcd
+     * So let's make it configurable by env.
8d2dcd
+     */
8d2dcd
+    if (r->user != NULL /* we've authenticated */
8d2dcd
+        && !apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
8d2dcd
+        apr_table_unset(r->headers_in, "Proxy-Authorization");
8d2dcd
+    }
8d2dcd
+
8d2dcd
+    /* for sub-requests, ignore freshness/expiry headers */
8d2dcd
+    if (r->main) {
8d2dcd
+        apr_table_unset(r->headers_in, "If-Match");
8d2dcd
+        apr_table_unset(r->headers_in, "If-Modified-Since");
8d2dcd
+        apr_table_unset(r->headers_in, "If-Range");
8d2dcd
+        apr_table_unset(r->headers_in, "If-Unmodified-Since");
8d2dcd
+        apr_table_unset(r->headers_in, "If-None-Match");
8d2dcd
+     }
8d2dcd
+
8d2dcd
+    /* run hook to fixup the request we are about to send */
8d2dcd
     proxy_run_fixups(r);
8d2dcd
-    if (ap_proxy_clear_connection(r, r->headers_in) < 0) {
8d2dcd
-        return HTTP_BAD_REQUEST;
8d2dcd
-    }
8d2dcd
 
8d2dcd
     creds = apr_table_get(r->notes, "proxy-basic-creds");
8d2dcd
     if (creds) {
8d2dcd
@@ -3817,55 +3867,8 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
     headers_in = (const apr_table_entry_t *) headers_in_array->elts;
8d2dcd
     for (counter = 0; counter < headers_in_array->nelts; counter++) {
8d2dcd
         if (headers_in[counter].key == NULL
8d2dcd
-            || headers_in[counter].val == NULL
8d2dcd
-
8d2dcd
-            /* Already sent */
8d2dcd
-            || !strcasecmp(headers_in[counter].key, "Host")
8d2dcd
-
8d2dcd
-            /* Clear out hop-by-hop request headers not to send
8d2dcd
-             * RFC2616 13.5.1 says we should strip these headers
8d2dcd
-             */
8d2dcd
-            || !strcasecmp(headers_in[counter].key, "Keep-Alive")
8d2dcd
-            || !strcasecmp(headers_in[counter].key, "TE")
8d2dcd
-            || !strcasecmp(headers_in[counter].key, "Trailer")
8d2dcd
-            || !strcasecmp(headers_in[counter].key, "Upgrade")
8d2dcd
-
8d2dcd
-            ) {
8d2dcd
-            continue;
8d2dcd
-        }
8d2dcd
-        /* Do we want to strip Proxy-Authorization ?
8d2dcd
-         * If we haven't used it, then NO
8d2dcd
-         * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
8d2dcd
-         * So let's make it configurable by env.
8d2dcd
-         */
8d2dcd
-        if (!strcasecmp(headers_in[counter].key,"Proxy-Authorization")) {
8d2dcd
-            if (r->user != NULL) { /* we've authenticated */
8d2dcd
-                if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
8d2dcd
-                    continue;
8d2dcd
-                }
8d2dcd
-            }
8d2dcd
-        }
8d2dcd
-
8d2dcd
-        /* Skip Transfer-Encoding and Content-Length for now.
8d2dcd
-         */
8d2dcd
-        if (!strcasecmp(headers_in[counter].key, "Transfer-Encoding")) {
8d2dcd
-            *old_te_val = headers_in[counter].val;
8d2dcd
-            continue;
8d2dcd
-        }
8d2dcd
-        if (!strcasecmp(headers_in[counter].key, "Content-Length")) {
8d2dcd
-            *old_cl_val = headers_in[counter].val;
8d2dcd
-            continue;
8d2dcd
-        }
8d2dcd
-
8d2dcd
-        /* for sub-requests, ignore freshness/expiry headers */
8d2dcd
-        if (r->main) {
8d2dcd
-            if (   !strcasecmp(headers_in[counter].key, "If-Match")
8d2dcd
-                || !strcasecmp(headers_in[counter].key, "If-Modified-Since")
8d2dcd
-                || !strcasecmp(headers_in[counter].key, "If-Range")
8d2dcd
-                || !strcasecmp(headers_in[counter].key, "If-Unmodified-Since")
8d2dcd
-                || !strcasecmp(headers_in[counter].key, "If-None-Match")) {
8d2dcd
-                continue;
8d2dcd
-            }
8d2dcd
+            || headers_in[counter].val == NULL) {
8d2dcd
+             continue;
8d2dcd
         }
8d2dcd
 
8d2dcd
         buf = apr_pstrcat(p, headers_in[counter].key, ": ",
8d2dcd
@@ -3876,11 +3879,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p,
8d2dcd
         APR_BRIGADE_INSERT_TAIL(header_brigade, e);
8d2dcd
     }
8d2dcd
 
8d2dcd
-    /* Restore the original headers in (see comment above),
8d2dcd
-     * we won't modify them anymore.
8d2dcd
-     */
8d2dcd
+cleanup:
8d2dcd
     r->headers_in = saved_headers_in;
8d2dcd
-    return OK;
8d2dcd
+    return rc;
8d2dcd
 }
8d2dcd
 
8d2dcd
 PROXY_DECLARE(int) ap_proxy_pass_brigade(apr_bucket_alloc_t *bucket_alloc,