diff --git a/Documentation/authproxy.md b/Documentation/authproxy.md
index 21362fcb..2e12ab09 100644
--- a/Documentation/authproxy.md
+++ b/Documentation/authproxy.md
@@ -63,6 +63,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
configuration will work for Apache 2.4.10+:
```
+
+ ProxyPass "http://localhost:5556/dex/"
+ ProxyPassReverse "http://localhost:5556/dex/"
+
+ # Strip the X-Remote-User header from all requests except for the ones
+ # where we override it.
+ RequestHeader unset X-Remote-User
+
+
AuthType Basic
AuthName "db.debian.org webPassword"
@@ -100,6 +109,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
ProxyPass "http://localhost:5556/dex/"
ProxyPassReverse "http://localhost:5556/dex/"
+
+ # Strip the X-Remote-User header from all requests except for the ones
+ # where we override it.
+ RequestHeader unset X-Remote-User
diff --git a/server/server.go b/server/server.go
index d1e1ff56..65de3b83 100644
--- a/server/server.go
+++ b/server/server.go
@@ -8,6 +8,7 @@ import (
"net/http"
"net/url"
"path"
+ "strings"
"sync"
"sync/atomic"
"time"
@@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
handleWithCORS("/keys", s.handlePublicKeys)
handleFunc("/auth", s.handleAuthorization)
handleFunc("/auth/{connector}", s.handleConnectorLogin)
- handleFunc("/callback", s.handleConnectorCallback)
+ r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
+ // Strip the X-Remote-* headers to prevent security issues on
+ // misconfigured authproxy connector setups.
+ for key := range r.Header {
+ if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
+ r.Header.Del(key)
+ }
+ }
+ s.handleConnectorCallback(w, r)
+ })
// For easier connector-specific web server configuration, e.g. for the
// "authproxy" connector.
handleFunc("/callback/{connector}", s.handleConnectorCallback)