Do not send headers with _ to backends

As shown by https://github.com/zopefoundation/Zope/pull/655 and https://github.com/Pylons/waitress/commit/6d4dab6bed88917b973066a6d5222917661802b7 backends usually don't accept headers with underscores. SSL_CLIENT_SERIAL is removed because it's unused.

Do not send headers with _ to backends
As shown by https://github.com/zopefoundation/Zope/pull/655 and https://github.com/Pylons/waitress/commit/6d4dab6bed88917b973066a6d5222917661802b7 backends usually don't accept headers with underscores. SSL_CLIENT_SERIAL is removed because it's unused.
9c8d2442 · Julien Muchembled · Łukasz Nowak · 43f5ac2f · 9c8d2442 · 9c8d2442
Commit 9c8d2442 authored Jun 20, 2019 by Julien Muchembled Committed by Łukasz Nowak Aug 29, 2019
6 changed files
--- a/component/apache/apache-backend.conf.in
+++ b/component/apache/apache-backend.conf.in
@@ -131,13 +131,11 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC
 SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
 SSLProxyEngine On
-# As backend is trusting REMOTE_USER header unset it always
+# As backend is trusting Remote-User header unset it always
-RequestHeader unset REMOTE_USER
+RequestHeader unset Remote-User
-RequestHeader unset SSL_CLIENT_SERIAL
 {% if parameter_dict['ca-cert'] -%}
 SSLVerifyClient optional
-RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
+RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-RequestHeader set SSL_CLIENT_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
 SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
 {%   if parameter_dict['crl'] -%}
 SSLCARevocationCheck chain

--- a/software/apache-frontend/templates/apache.conf.in
+++ b/software/apache-frontend/templates/apache.conf.in
@@ -20,8 +20,8 @@ TypesConfig {{ httpd_home }}/conf/mime.types
 AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
-# As backend is trusting REMOTE_USER header unset it always
+# As backend is trusting Remote-User header unset it always
-RequestHeader unset REMOTE_USER
+RequestHeader unset Remote-User
 ServerTokens Prod

--- a/software/caddy-frontend/templates/cached-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/cached-virtualhost.conf.in
@@ -21,8 +21,8 @@
  proxy / {{ slave_parameter.get('backend_url', '') }} {
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
-    # As backend is trusting REMOTE_USER header unset it always
+    # As backend is trusting Remote-User header unset it always
-    header_upstream -REMOTE_USER
+    header_upstream -Remote-User
    transparent
    timeout 600s
@@ -49,8 +49,8 @@
  proxy / {{ slave_parameter.get('https_backend_url', '') }} {
    try_duration {{ slave_parameter['proxy_try_duration'] }}s
    try_interval {{ slave_parameter['proxy_try_interval'] }}ms
-    # As backend is trusting REMOTE_USER header unset it always
+    # As backend is trusting Remote-User header unset it always
-    header_upstream -REMOTE_USER
+    header_upstream -Remote-User
    transparent
    timeout 600s
 {%- if ssl_proxy_verify %}

--- a/software/caddy-frontend/templates/default-virtualhost.conf.in
+++ b/software/caddy-frontend/templates/default-virtualhost.conf.in
@@ -108,8 +108,8 @@
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
 {%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
-    # As backend is trusting REMOTE_USER header unset it always
+    # As backend is trusting Remote-User header unset it always
-    header_upstream -REMOTE_USER
+    header_upstream -Remote-User
 {%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
@@ -245,8 +245,8 @@
    without /prefer-gzip
    header_upstream Accept-Encoding gzip
 {%-     endif %} {#-     if proxy_name == 'prefer-gzip' #}
-    # As backend is trusting REMOTE_USER header unset it always
+    # As backend is trusting Remote-User header unset it always
-    header_upstream -REMOTE_USER
+    header_upstream -Remote-User
 {%- for disabled_cookie in disabled_cookie_list %}
    # Remove cookie {{ disabled_cookie }} from client Cookies
    header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"

--- a/software/caddy-frontend/test/test.py
+++ b/software/caddy-frontend/test/test.py
@@ -883,7 +883,7 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
                      headers=None, cookies=None, source_ip=None):
    if headers is None:
      headers = {}
-    headers.setdefault('REMOTE_USER', 'SOME_REMOTE_USER')
+    headers.setdefault('Remote-User', 'SOME_REMOTE_USER')
    # workaround request problem of setting Accept-Encoding
    # https://github.com/requests/requests/issues/2234
    headers.setdefault('Accept-Encoding', 'dummy')
@@ -908,7 +908,7 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
                     headers=None):
    if headers is None:
      headers = {}
-    headers.setdefault('REMOTE_USER', 'SOME_REMOTE_USER')
+    headers.setdefault('Remote-User', 'SOME_REMOTE_USER')
    # workaround request problem of setting Accept-Encoding
    # https://github.com/requests/requests/issues/2234
    headers.setdefault('Accept-Encoding', 'dummy')

--- a/software/slapos-master/apache-backend.conf.in
+++ b/software/slapos-master/apache-backend.conf.in
@@ -131,13 +131,11 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC
 SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
 SSLProxyEngine On
-# As backend is trusting REMOTE_USER header unset it always
+# As backend is trusting Remote-User header unset it always
-RequestHeader unset REMOTE_USER
+RequestHeader unset Remote-User
-RequestHeader unset SSL_CLIENT_SERIAL
 {% if parameter_dict['ca-cert'] -%}
 SSLVerifyClient optional
-RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
+RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
-RequestHeader set SSL_CLIENT_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
 SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
 {%   if not parameter_dict['shared-ca-cert'] %}
 {%     if parameter_dict['crl'] -%}
@@ -168,7 +166,7 @@ Listen {{ ip }}:{{ port }}
 {% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%}
  SSLVerifyClient require
  # Custom block we use for now different parameters.
-  RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
+  RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
  SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
  SSLCARevocationPath {{ parameter_dict['shared-crl'] }}