Update REMOTE-USER header definition in doc

closes: #5478
pulp · Aug 5, 2024 · 53fafa8 · 53fafa8
1 parent 4f65152
commit 53fafa8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/CHANGES/5478.doc b/CHANGES/5478.doc
@@ -0,0 +1,2 @@
+Updated REMOTE-USER header definition (to use hyphen, instead of underscore) due
+to gunicorn version update blocking its usage for security purposes.
diff --git a/docs/admin/guides/auth/external.md b/docs/admin/guides/auth/external.md
@@ -77,16 +77,15 @@ application webserver, i.e. gunicorn. You can pass the header as part of the pro
 with a config line like:
 
 ```
-proxy_set_header REMOTE_USER $remote_user;
+proxy_set_header REMOTE-USER $remote_user;
 ```
 
 Per the [WSGI standard](https://www.python.org/dev/peps/pep-0333/#environ-variables), any incoming
 headers will be prepended with a `HTTP_`. The above line would send the header named
-`REMOTE_USER` to gunicorn, and the WSGI application would receive it as `HTTP_REMOTE_USER`. The
-default configuration of Pulp is expecting `REMOTE_USER` in the WSGI environment not
-`HTTP_REMOTE_USER`, so this won't work with
-`pulpcore.app.authentication.PulpRemoteUserAuthentication` or the Django Rest Framework provided
-`rest_framework.authentication.RemoteUserAuthentication` as is.
+`REMOTE-USER` to gunicorn, and the WSGI application would receive it as `HTTP_REMOTE_USER` (after 
+gunicorn normalization). The default configuration of Pulp is expecting `REMOTE_USER` in the WSGI
+environment not `HTTP_REMOTE_USER`, so this won't work with `pulpcore.app.authentication.PulpRemoteUserAuthentication`
+or the Django Rest Framework provided `rest_framework.authentication.RemoteUserAuthentication` as is.
 
 Pulp provides a setting named `REMOTE_USER_ENVIRON_NAME <remote-user-environ-name>` which allows
 you to specify another WSGI environment variable to read the authenticated username from.