authproxy.md: strip X-Remote-User
follow-up for https://github.com/coreos/dex/pull/1100
This commit is contained in:
parent
751c565e9d
commit
4931f30a80
2 changed files with 24 additions and 1 deletions
|
@ -25,6 +25,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
|
|||
configuration will work for Apache 2.4.10+:
|
||||
|
||||
```
|
||||
<Location /dex/>
|
||||
ProxyPass "http://localhost:5556/dex/"
|
||||
ProxyPassReverse "http://localhost:5556/dex/"
|
||||
|
||||
# Strip the X-Remote-User header from all requests except for the ones
|
||||
# where we override it.
|
||||
RequestHeader unset X-Remote-User
|
||||
</Location>
|
||||
|
||||
<Location /dex/callback/myBasicAuth>
|
||||
AuthType Basic
|
||||
AuthName "db.debian.org webPassword"
|
||||
|
@ -62,6 +71,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
|
|||
<Location /dex/>
|
||||
ProxyPass "http://localhost:5556/dex/"
|
||||
ProxyPassReverse "http://localhost:5556/dex/"
|
||||
|
||||
# Strip the X-Remote-User header from all requests except for the ones
|
||||
# where we override it.
|
||||
RequestHeader unset X-Remote-User
|
||||
</Location>
|
||||
|
||||
<Location /dex/callback/myBasicAuth>
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"net/http"
|
||||
"net/url"
|
||||
"path"
|
||||
"strings"
|
||||
"sync"
|
||||
"sync/atomic"
|
||||
"time"
|
||||
|
@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
|
|||
handleWithCORS("/keys", s.handlePublicKeys)
|
||||
handleFunc("/auth", s.handleAuthorization)
|
||||
handleFunc("/auth/{connector}", s.handleConnectorLogin)
|
||||
handleFunc("/callback", s.handleConnectorCallback)
|
||||
r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
|
||||
// Strip the X-Remote-* headers to prevent security issues on
|
||||
// misconfigured authproxy connector setups.
|
||||
for key := range r.Header {
|
||||
if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
|
||||
r.Header.Del(key)
|
||||
}
|
||||
}
|
||||
s.handleConnectorCallback(w, r)
|
||||
})
|
||||
// For easier connector-specific web server configuration, e.g. for the
|
||||
// "authproxy" connector.
|
||||
handleFunc("/callback/{connector}", s.handleConnectorCallback)
|
||||
|
|
Reference in a new issue