Commit 78407e48 authored by Julien Muchembled's avatar Julien Muchembled Committed by Rafael Monnerat

Do not send headers with _ to backends

As shown by https://github.com/zopefoundation/Zope/pull/655 and
https://github.com/Pylons/waitress/commit/6d4dab6bed88917b973066a6d5222917661802b7
backends usually don't accept headers with underscores.

SSL_CLIENT_SERIAL is removed because it's unused.
parent 36e15e97
...@@ -131,13 +131,11 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC ...@@ -131,13 +131,11 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC
SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000) SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
SSLProxyEngine On SSLProxyEngine On
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting Remote-User header unset it always
RequestHeader unset REMOTE_USER RequestHeader unset Remote-User
RequestHeader unset SSL_CLIENT_SERIAL
{% if parameter_dict['ca-cert'] -%} {% if parameter_dict['ca-cert'] -%}
SSLVerifyClient optional SSLVerifyClient optional
RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader set SSL_CLIENT_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
SSLCACertificateFile {{ parameter_dict['ca-cert'] }} SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
{% if parameter_dict['crl'] -%} {% if parameter_dict['crl'] -%}
SSLCARevocationCheck chain SSLCARevocationCheck chain
......
...@@ -20,8 +20,8 @@ TypesConfig {{ httpd_home }}/conf/mime.types ...@@ -20,8 +20,8 @@ TypesConfig {{ httpd_home }}/conf/mime.types
AddType application/x-compress .Z AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz AddType application/x-gzip .gz .tgz
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting Remote-User header unset it always
RequestHeader unset REMOTE_USER RequestHeader unset Remote-User
ServerTokens Prod ServerTokens Prod
......
...@@ -21,8 +21,8 @@ ...@@ -21,8 +21,8 @@
proxy / {{ slave_parameter.get('backend_url', '') }} { proxy / {{ slave_parameter.get('backend_url', '') }} {
try_duration {{ slave_parameter['proxy_try_duration'] }}s try_duration {{ slave_parameter['proxy_try_duration'] }}s
try_interval {{ slave_parameter['proxy_try_interval'] }}ms try_interval {{ slave_parameter['proxy_try_interval'] }}ms
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting Remote-User header unset it always
header_upstream -REMOTE_USER header_upstream -Remote-User
transparent transparent
timeout 600s timeout 600s
...@@ -49,8 +49,8 @@ ...@@ -49,8 +49,8 @@
proxy / {{ slave_parameter.get('https_backend_url', '') }} { proxy / {{ slave_parameter.get('https_backend_url', '') }} {
try_duration {{ slave_parameter['proxy_try_duration'] }}s try_duration {{ slave_parameter['proxy_try_duration'] }}s
try_interval {{ slave_parameter['proxy_try_interval'] }}ms try_interval {{ slave_parameter['proxy_try_interval'] }}ms
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting Remote-User header unset it always
header_upstream -REMOTE_USER header_upstream -Remote-User
transparent transparent
timeout 600s timeout 600s
{%- if ssl_proxy_verify %} {%- if ssl_proxy_verify %}
......
...@@ -108,8 +108,8 @@ ...@@ -108,8 +108,8 @@
without /prefer-gzip without /prefer-gzip
header_upstream Accept-Encoding gzip header_upstream Accept-Encoding gzip
{%- endif %} {#- if proxy_name == 'prefer-gzip' #} {%- endif %} {#- if proxy_name == 'prefer-gzip' #}
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting Remote-User header unset it always
header_upstream -REMOTE_USER header_upstream -Remote-User
{%- for disabled_cookie in disabled_cookie_list %} {%- for disabled_cookie in disabled_cookie_list %}
# Remove cookie {{ disabled_cookie }} from client Cookies # Remove cookie {{ disabled_cookie }} from client Cookies
header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
...@@ -245,8 +245,8 @@ ...@@ -245,8 +245,8 @@
without /prefer-gzip without /prefer-gzip
header_upstream Accept-Encoding gzip header_upstream Accept-Encoding gzip
{%- endif %} {#- if proxy_name == 'prefer-gzip' #} {%- endif %} {#- if proxy_name == 'prefer-gzip' #}
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting Remote-User header unset it always
header_upstream -REMOTE_USER header_upstream -Remote-User
{%- for disabled_cookie in disabled_cookie_list %} {%- for disabled_cookie in disabled_cookie_list %}
# Remove cookie {{ disabled_cookie }} from client Cookies # Remove cookie {{ disabled_cookie }} from client Cookies
header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3" header_upstream Cookie "(.*)(^{{ disabled_cookie }}=[^;]*; |; {{ disabled_cookie }}=[^;]*|^{{ disabled_cookie }}=[^;]*$)(.*)" "$1 $3"
......
...@@ -883,7 +883,7 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase): ...@@ -883,7 +883,7 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
headers=None, cookies=None, source_ip=None): headers=None, cookies=None, source_ip=None):
if headers is None: if headers is None:
headers = {} headers = {}
headers.setdefault('REMOTE_USER', 'SOME_REMOTE_USER') headers.setdefault('Remote-User', 'SOME_REMOTE_USER')
# workaround request problem of setting Accept-Encoding # workaround request problem of setting Accept-Encoding
# https://github.com/requests/requests/issues/2234 # https://github.com/requests/requests/issues/2234
headers.setdefault('Accept-Encoding', 'dummy') headers.setdefault('Accept-Encoding', 'dummy')
...@@ -908,7 +908,7 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase): ...@@ -908,7 +908,7 @@ class SlaveHttpFrontendTestCase(HttpFrontendTestCase):
headers=None): headers=None):
if headers is None: if headers is None:
headers = {} headers = {}
headers.setdefault('REMOTE_USER', 'SOME_REMOTE_USER') headers.setdefault('Remote-User', 'SOME_REMOTE_USER')
# workaround request problem of setting Accept-Encoding # workaround request problem of setting Accept-Encoding
# https://github.com/requests/requests/issues/2234 # https://github.com/requests/requests/issues/2234
headers.setdefault('Accept-Encoding', 'dummy') headers.setdefault('Accept-Encoding', 'dummy')
......
...@@ -131,13 +131,11 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC ...@@ -131,13 +131,11 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:EC
SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000) SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
SSLProxyEngine On SSLProxyEngine On
# As backend is trusting REMOTE_USER header unset it always # As backend is trusting Remote-User header unset it always
RequestHeader unset REMOTE_USER RequestHeader unset Remote-User
RequestHeader unset SSL_CLIENT_SERIAL
{% if parameter_dict['ca-cert'] -%} {% if parameter_dict['ca-cert'] -%}
SSLVerifyClient optional SSLVerifyClient optional
RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
RequestHeader set SSL_CLIENT_SERIAL "%{SSL_CLIENT_M_SERIAL}s"
SSLCACertificateFile {{ parameter_dict['ca-cert'] }} SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
{% if not parameter_dict['shared-ca-cert'] %} {% if not parameter_dict['shared-ca-cert'] %}
{% if parameter_dict['crl'] -%} {% if parameter_dict['crl'] -%}
...@@ -168,7 +166,7 @@ Listen {{ ip }}:{{ port }} ...@@ -168,7 +166,7 @@ Listen {{ ip }}:{{ port }}
{% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%} {% if enable_authentication and parameter_dict['shared-ca-cert'] and parameter_dict['shared-crl'] -%}
SSLVerifyClient require SSLVerifyClient require
# Custom block we use for now different parameters. # Custom block we use for now different parameters.
RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }} SSLCACertificateFile {{ parameter_dict['shared-ca-cert'] }}
SSLCARevocationPath {{ parameter_dict['shared-crl'] }} SSLCARevocationPath {{ parameter_dict['shared-crl'] }}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment