Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
D
dex
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
go
dex
Commits
3d65b774
Commit
3d65b774
authored
Oct 26, 2017
by
Eric Chiang
Committed by
GitHub
Oct 26, 2017
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #1103 from stapelberg/authproxy
authproxy.md: strip X-Remote-User
parents
13b4f84f
4931f30a
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
24 additions
and
1 deletion
+24
-1
authproxy.md
Documentation/authproxy.md
+13
-0
server.go
server/server.go
+11
-1
No files found.
Documentation/authproxy.md
View file @
3d65b774
...
...
@@ -63,6 +63,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
configuration will work for Apache 2.4.10+:
```
<Location /dex/>
ProxyPass "http://localhost:5556/dex/"
ProxyPassReverse "http://localhost:5556/dex/"
# Strip the X-Remote-User header from all requests except for the ones
# where we override it.
RequestHeader unset X-Remote-User
</Location>
<Location /dex/callback/myBasicAuth>
AuthType Basic
AuthName "db.debian.org webPassword"
...
...
@@ -100,6 +109,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
<Location /dex/>
ProxyPass "http://localhost:5556/dex/"
ProxyPassReverse "http://localhost:5556/dex/"
# Strip the X-Remote-User header from all requests except for the ones
# where we override it.
RequestHeader unset X-Remote-User
</Location>
<Location /dex/callback/myBasicAuth>
...
...
server/server.go
View file @
3d65b774
...
...
@@ -8,6 +8,7 @@ import (
"net/http"
"net/url"
"path"
"strings"
"sync"
"sync/atomic"
"time"
...
...
@@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
handleWithCORS
(
"/keys"
,
s
.
handlePublicKeys
)
handleFunc
(
"/auth"
,
s
.
handleAuthorization
)
handleFunc
(
"/auth/{connector}"
,
s
.
handleConnectorLogin
)
handleFunc
(
"/callback"
,
s
.
handleConnectorCallback
)
r
.
HandleFunc
(
path
.
Join
(
issuerURL
.
Path
,
"/callback"
),
func
(
w
http
.
ResponseWriter
,
r
*
http
.
Request
)
{
// Strip the X-Remote-* headers to prevent security issues on
// misconfigured authproxy connector setups.
for
key
:=
range
r
.
Header
{
if
strings
.
HasPrefix
(
strings
.
ToLower
(
key
),
"x-remote-"
)
{
r
.
Header
.
Del
(
key
)
}
}
s
.
handleConnectorCallback
(
w
,
r
)
})
// For easier connector-specific web server configuration, e.g. for the
// "authproxy" connector.
handleFunc
(
"/callback/{connector}"
,
s
.
handleConnectorCallback
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment