fixup! apache-backend: discard incoming X-Forwarded-For without valid SSL Client Authentification.

468d8148 · Kazuhiko Shiozaki · ffd51275 · 468d8148 · 468d8148
Commit 468d8148 authored Jun 16, 2020 by Kazuhiko Shiozaki
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

component/apache/apache-backend.conf.in component/apache/apache-backend.conf.in +2 -1

component/apache/buildout.hash.cfg component/apache/buildout.hash.cfg +1 -1

No files found.
--- a/component/apache/apache-backend.conf.in
+++ b/component/apache/apache-backend.conf.in
@@ -135,10 +135,11 @@ SSLProxyEngine On
 # As backend is trusting Remote-User header unset it always
 RequestHeader unset Remote-User
+# Drop incoming X-Forwarded-For without valid client authentication
+RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
 {% if ca_cert_dir -%}
 SSLVerifyClient optional
 RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
 SSLCACertificatePath {{ ca_cert_dir }}
 {%   if crl_dir -%}
 SSLCARevocationCheck chain

--- a/component/apache/buildout.hash.cfg
+++ b/component/apache/buildout.hash.cfg
@@ -14,5 +14,5 @@
 # not need these here).
 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = 68ce79573bb2b39625ee6ef57c2e7f14
+md5sum = 5c6d6aacc092b23a02e1c6f4d51e8127