Skip to content

D
dex
Commit 4931f30a authored by Michael Stapelberg's avatar Michael Stapelberg
Browse files
Options

authproxy.md: strip X-Remote-User 

follow-up for https://github.com/coreos/dex/pull/1100
parent 751c565e
Hide whitespace changes
Inline Side-by-side
Showing with 24 additions and 1 deletion
Documentation/authproxy.md
View file @ 4931f30a
...@@ -25,6 +25,15 @@ location and provides the result in the X-Remote-User HTTP header. The following ...@@ -25,6 +25,15 @@ location and provides the result in the X-Remote-User HTTP header. The following
configuration will work for Apache 2.4.10+: configuration will work for Apache 2.4.10+:
``` ```
<Location /dex/>
ProxyPass "http://localhost:5556/dex/"
ProxyPassReverse "http://localhost:5556/dex/"
# Strip the X-Remote-User header from all requests except for the ones
# where we override it.
RequestHeader unset X-Remote-User
</Location>
<Location /dex/callback/myBasicAuth> <Location /dex/callback/myBasicAuth>
AuthType Basic AuthType Basic
AuthName "db.debian.org webPassword" AuthName "db.debian.org webPassword"
...@@ -62,6 +71,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`: ...@@ -62,6 +71,10 @@ virtual host configuration in e.g. `/etc/apache2/sites-available/sso.conf`:
<Location /dex/> <Location /dex/>
ProxyPass "http://localhost:5556/dex/" ProxyPass "http://localhost:5556/dex/"
ProxyPassReverse "http://localhost:5556/dex/" ProxyPassReverse "http://localhost:5556/dex/"
# Strip the X-Remote-User header from all requests except for the ones
# where we override it.
RequestHeader unset X-Remote-User
</Location> </Location>
<Location /dex/callback/myBasicAuth> <Location /dex/callback/myBasicAuth>
......
server/server.go
View file @ 4931f30a
...@@ -8,6 +8,7 @@ import ( ...@@ -8,6 +8,7 @@ import (
"net/http" "net/http"
"net/url" "net/url"
"path" "path"
"strings"
"sync" "sync"
"sync/atomic" "sync/atomic"
"time" "time"
...@@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) ...@@ -240,7 +241,16 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
handleWithCORS("/keys", s.handlePublicKeys) handleWithCORS("/keys", s.handlePublicKeys)
handleFunc("/auth", s.handleAuthorization) handleFunc("/auth", s.handleAuthorization)
handleFunc("/auth/{connector}", s.handleConnectorLogin) handleFunc("/auth/{connector}", s.handleConnectorLogin)
handleFunc("/callback", s.handleConnectorCallback) r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
// Strip the X-Remote-* headers to prevent security issues on
// misconfigured authproxy connector setups.
for key := range r.Header {
if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
r.Header.Del(key)
}
}
s.handleConnectorCallback(w, r)
})
// For easier connector-specific web server configuration, e.g. for the // For easier connector-specific web server configuration, e.g. for the
// "authproxy" connector. // "authproxy" connector.
handleFunc("/callback/{connector}", s.handleConnectorCallback) handleFunc("/callback/{connector}", s.handleConnectorCallback)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment