removed-xforwarded-headers for all services ? #37
Comments
|
Mixed feelings about this, since it allows admins to detect badly configured services (relying on a user-provided header for content can lead to bad things) and fix them (cf geopicardie/osm-geopic-docker@d79d49d - and i just realized some of my services also had this issue - somehow, this only shows when apache is the RP in front of georchestra, not nginx ?) The service admin needs to make sure he sanitizes the X-Forwarded-* headers in his reverse proxy before sending the request to a backend server. Why were those headers sent in the first place ? I've read georchestra/georchestra#782 which adds the workaround for broken services, but havent found the justification for sending them. Header auth ? |
Yes, IIRC, apache adds these headers when acting as a RP. |
I'm wondering if we should not have
header0.value=.*in https://github.com/georchestra/datadir/blob/master/security-proxy/removed-xforwarded-headers.properties ie: x-forwarded headers should not be sent to any server.The text was updated successfully, but these errors were encountered: