Skip to content

Use dashes in HTTP header names in SSL vhost config #492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ehelms wants to merge 1 commit into
base: master
Choose a base branch
from
+13 −9
Open

Use dashes in HTTP header names in SSL vhost config #492

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions src/roles/httpd/templates/external_auth.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@
LookupUserGroupsIter REMOTE_USER_GROUP

# Set headers for proxy requests
RequestHeader set REMOTE_USER %{REMOTE_USER}e
RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e
RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e
RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e
RequestHeader set REMOTE-USER %{REMOTE_USER}e
RequestHeader set REMOTE-USER-EMAIL %{REMOTE_USER_EMAIL}e
RequestHeader set REMOTE-USER-FIRSTNAME %{REMOTE_USER_FIRSTNAME}e
RequestHeader set REMOTE-USER-LASTNAME %{REMOTE_USER_LASTNAME}e
RequestHeader set REMOTE-USER-GROUPS %{REMOTE_USER_GROUPS}e
</LocationMatch>

# GSSAPI/Kerberos authentication for web UI
Expand Down
8 changes: 4 additions & 4 deletions src/roles/httpd/templates/foreman-ssl-vhost.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,10 @@

## Request header rules
## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader
RequestHeader set X_FORWARDED_PROTO "https"
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set X-FORWARDED-PROTO "https"
RequestHeader set SSL-CLIENT-S-DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL-CLIENT-CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL-CLIENT-VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader unset REMOTE-USER
RequestHeader unset REMOTE_USER
RequestHeader unset REMOTE-USER-EMAIL
Expand Down
4 changes: 4 additions & 0 deletions tests/httpd_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,7 @@ def test_https_foreman_login(server, certificates, server_fqdn):
cmd = server.run(f"{CURL_CMD} --cacert {certificates['server_ca_certificate']} --write-out '%{{http_code}}' https://{server_fqdn}/users/login")
assert cmd.succeeded
assert cmd.stdout == '200'

def test_httpd_headers_use_dashes(server):
cmd = server.run("grep -rPn 'RequestHeader\\s+set\\s+\\S*_\\S*\\s' /etc/httpd/conf.d/foreman.conf /etc/httpd/conf.d/foreman-ssl.conf /etc/httpd/conf.d/05-foreman.d/ /etc/httpd/conf.d/05-foreman-ssl.d/ 2>/dev/null")
assert cmd.stdout.strip() == '', f"HTTP header names should use dashes, not underscores:\n{cmd.stdout}"