From 3c804c21cc7828d898b9a7edd371dc24b50e0647 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Tue, 5 May 2026 10:16:19 -0400 Subject: [PATCH] Use dashes in HTTP header names in SSL vhost config Some backends reject headers with underscores before converting dashes to underscores for application processing. Use dashes in RequestHeader names to match the HTTP vhost and ensure headers pass through the full proxy chain. Add a test to catch underscore usage in httpd config headers. Co-Authored-By: Claude Opus 4.6 --- src/roles/httpd/templates/external_auth.conf.j2 | 10 +++++----- src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 | 8 ++++---- tests/httpd_test.py | 4 ++++ 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/src/roles/httpd/templates/external_auth.conf.j2 b/src/roles/httpd/templates/external_auth.conf.j2 index 05e1d7d25..f181de2f4 100644 --- a/src/roles/httpd/templates/external_auth.conf.j2 +++ b/src/roles/httpd/templates/external_auth.conf.j2 @@ -15,11 +15,11 @@ LookupUserGroupsIter REMOTE_USER_GROUP # Set headers for proxy requests - RequestHeader set REMOTE_USER %{REMOTE_USER}e - RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e + RequestHeader set REMOTE-USER %{REMOTE_USER}e + RequestHeader set REMOTE-USER-EMAIL %{REMOTE_USER_EMAIL}e + RequestHeader set REMOTE-USER-FIRSTNAME %{REMOTE_USER_FIRSTNAME}e + RequestHeader set REMOTE-USER-LASTNAME %{REMOTE_USER_LASTNAME}e + RequestHeader set REMOTE-USER-GROUPS %{REMOTE_USER_GROUPS}e # GSSAPI/Kerberos authentication for web UI diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 index 3807529f0..af895755b 100644 --- a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 +++ b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 @@ -11,10 +11,10 @@ ## Request header rules ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader - RequestHeader set X_FORWARDED_PROTO "https" - RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" - RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" - RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" + RequestHeader set X-FORWARDED-PROTO "https" + RequestHeader set SSL-CLIENT-S-DN "%{SSL_CLIENT_S_DN}s" + RequestHeader set SSL-CLIENT-CERT "%{SSL_CLIENT_CERT}s" + RequestHeader set SSL-CLIENT-VERIFY "%{SSL_CLIENT_VERIFY}s" RequestHeader unset REMOTE-USER RequestHeader unset REMOTE_USER RequestHeader unset REMOTE-USER-EMAIL diff --git a/tests/httpd_test.py b/tests/httpd_test.py index e01ea7d6e..77c6efda7 100644 --- a/tests/httpd_test.py +++ b/tests/httpd_test.py @@ -87,3 +87,7 @@ def test_https_foreman_login(server, certificates, server_fqdn): cmd = server.run(f"{CURL_CMD} --cacert {certificates['server_ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/users/login") assert cmd.succeeded assert cmd.stdout == '200' + +def test_httpd_headers_use_dashes(server): + cmd = server.run("grep -rPn 'RequestHeader\\s+set\\s+\\S*_\\S*\\s' /etc/httpd/conf.d/foreman.conf /etc/httpd/conf.d/foreman-ssl.conf /etc/httpd/conf.d/05-foreman.d/ /etc/httpd/conf.d/05-foreman-ssl.d/ 2>/dev/null") + assert cmd.stdout.strip() == '', f"HTTP header names should use dashes, not underscores:\n{cmd.stdout}"