Merge pull request #1103 from stapelberg/authproxy

authproxy.md: strip X-Remote-User
This commit is contained in:
Eric Chiang 2017-10-26 14:29:43 -07:00 committed by GitHub
commit 3d65b774d6
2 changed files with 24 additions and 1 deletions

View file

@ -63,6 +63,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
configuration will work for Apache 2.4.10+:
```
<Location /dex/>
ProxyPass "http://localhost:5556/dex/"
ProxyPassReverse "http://localhost:5556/dex/"
# Strip the X-Remote-User header from all requests except for the ones
# where we override it.
RequestHeader unset X-Remote-User
</Location>
<Location /dex/callback/myBasicAuth>
AuthType Basic
AuthName "db.debian.org webPassword"
@ -100,6 +109,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
<Location /dex/>
ProxyPass "http://localhost:5556/dex/"
ProxyPassReverse "http://localhost:5556/dex/"
# Strip the X-Remote-User header from all requests except for the ones
# where we override it.
RequestHeader unset X-Remote-User
</Location>
<Location /dex/callback/myBasicAuth>

View file

@ -8,6 +8,7 @@ import (
"net/http"
"net/url"
"path"
"strings"
"sync"
"sync/atomic"
"time"
@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
handleWithCORS("/keys", s.handlePublicKeys)
handleFunc("/auth", s.handleAuthorization)
handleFunc("/auth/{connector}", s.handleConnectorLogin)
handleFunc("/callback", s.handleConnectorCallback)
r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
// Strip the X-Remote-* headers to prevent security issues on
// misconfigured authproxy connector setups.
for key := range r.Header {
if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
r.Header.Del(key)
}
}
s.handleConnectorCallback(w, r)
})
// For easier connector-specific web server configuration, e.g. for the
// "authproxy" connector.
handleFunc("/callback/{connector}", s.handleConnectorCallback)