Merge pull request #1103 from stapelberg/authproxy
authproxy.md: strip X-Remote-User
This commit is contained in:
commit
3d65b774d6
@ -63,6 +63,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
|
|||||||
configuration will work for Apache 2.4.10+:
|
configuration will work for Apache 2.4.10+:
|
||||||
|
|
||||||
```
|
```
|
||||||
|
<Location /dex/>
|
||||||
|
ProxyPass "http://localhost:5556/dex/"
|
||||||
|
ProxyPassReverse "http://localhost:5556/dex/"
|
||||||
|
|
||||||
|
# Strip the X-Remote-User header from all requests except for the ones
|
||||||
|
# where we override it.
|
||||||
|
RequestHeader unset X-Remote-User
|
||||||
|
</Location>
|
||||||
|
|
||||||
<Location /dex/callback/myBasicAuth>
|
<Location /dex/callback/myBasicAuth>
|
||||||
AuthType Basic
|
AuthType Basic
|
||||||
AuthName "db.debian.org webPassword"
|
AuthName "db.debian.org webPassword"
|
||||||
@ -100,6 +109,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
|
|||||||
<Location /dex/>
|
<Location /dex/>
|
||||||
ProxyPass "http://localhost:5556/dex/"
|
ProxyPass "http://localhost:5556/dex/"
|
||||||
ProxyPassReverse "http://localhost:5556/dex/"
|
ProxyPassReverse "http://localhost:5556/dex/"
|
||||||
|
|
||||||
|
# Strip the X-Remote-User header from all requests except for the ones
|
||||||
|
# where we override it.
|
||||||
|
RequestHeader unset X-Remote-User
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
<Location /dex/callback/myBasicAuth>
|
<Location /dex/callback/myBasicAuth>
|
||||||
|
@ -8,6 +8,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
"path"
|
"path"
|
||||||
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
"time"
|
"time"
|
||||||
@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
|
|||||||
handleWithCORS("/keys", s.handlePublicKeys)
|
handleWithCORS("/keys", s.handlePublicKeys)
|
||||||
handleFunc("/auth", s.handleAuthorization)
|
handleFunc("/auth", s.handleAuthorization)
|
||||||
handleFunc("/auth/{connector}", s.handleConnectorLogin)
|
handleFunc("/auth/{connector}", s.handleConnectorLogin)
|
||||||
handleFunc("/callback", s.handleConnectorCallback)
|
r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
// Strip the X-Remote-* headers to prevent security issues on
|
||||||
|
// misconfigured authproxy connector setups.
|
||||||
|
for key := range r.Header {
|
||||||
|
if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
|
||||||
|
r.Header.Del(key)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
s.handleConnectorCallback(w, r)
|
||||||
|
})
|
||||||
// For easier connector-specific web server configuration, e.g. for the
|
// For easier connector-specific web server configuration, e.g. for the
|
||||||
// "authproxy" connector.
|
// "authproxy" connector.
|
||||||
handleFunc("/callback/{connector}", s.handleConnectorCallback)
|
handleFunc("/callback/{connector}", s.handleConnectorCallback)
|
||||||
|
Reference in New Issue
Block a user