Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs should not use underscores in http headers for auth #5478

Closed
evgeni opened this issue Jun 13, 2024 · 2 comments · Fixed by #5668
Closed

docs should not use underscores in http headers for auth #5478

evgeni opened this issue Jun 13, 2024 · 2 comments · Fixed by #5668
Labels

Comments

@evgeni
Copy link
Member

evgeni commented Jun 13, 2024

Version
any

Describe the bug
https://docs.pulpproject.org/pulpcore/authentication/webserver.html#webserver-auth-with-reverse-proxy says:

With nginx providing authentication, all it can do is pass REMOTE_USER (or similar name) to the application webserver, i.e. gunicorn. You can pass the header as part of the proxy request in nginx with a config line like:

proxy_set_header REMOTE_USER $remote_user;

But since gunicorn 22.0 (more precisely https://github.com/benoitc/gunicorn/commit/72b8970dbf2bf3444eb2e8b12aeff1a3d5922a9a/ benoitc/gunicorn#2799) headers with underscores are forbidden by default.

If the docs would use a dash, so proxy_set_header REMOTE-USER … things would work :)

Additional context
Grant made me file this, and I did not want to post a screenshot of our colorful conversation ;)

@daviddavis
Copy link
Contributor

This is rather interesting because REMOTE_USER comes from django:

https://docs.djangoproject.com/en/5.0/howto/auth-remote-user/

I imagine there are a lot of django users using gunicorn. Maybe it's worth filing a django issue and see how they proceed?

@evgeni
Copy link
Member Author

evgeni commented Jun 18, 2024

It is and it isn't ;-) (You'll notice, I had a ton of fun with that).

REMOTE_USER as Django wants it is an environment variable, not an HTTP header. That variable usually gets set by WSGI/whatever after handling auth.
In our case, auth is done by the frontend Apache/NGINX, which can only communicate to WSGI/Django via headers.

In the linked docs, there is a warning, where they say:

Since the HTTP headers X-Auth-User and X-Auth_User (for example) both normalize to the HTTP_X_AUTH_USER key in request.META, you must also check that your web server doesn’t allow a spoofed header using underscores in place of dashes.

No REMOTE_USER anymore ;-)

Gunicorn is working on making this a bit more user-friendly in benoitc/gunicorn#3192, by making it configurable which "illegal" headers get accepted from a "trusted" proxy.

git-hyagi added a commit to git-hyagi/pulpcore that referenced this issue Aug 5, 2024
git-hyagi added a commit to git-hyagi/pulpcore that referenced this issue Aug 6, 2024
mdellweg pushed a commit that referenced this issue Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants