From e14e765561e0cf908060d5188cc07d80eb570457 Mon Sep 17 00:00:00 2001
From: Julian Rother <julianr@fsmpi.rwth-aachen.de>
Date: Tue, 6 Oct 2020 21:47:01 +0200
Subject: [PATCH] Addded headers-more module to example nginx config to prevent
 spoofing

---
 testapp/nginx.conf | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/testapp/nginx.conf b/testapp/nginx.conf
index 4cf667c..284a5fd 100644
--- a/testapp/nginx.conf
+++ b/testapp/nginx.conf
@@ -2,6 +2,8 @@
 pid nginx.pid;
 error_log nginx.err.log;
 
+load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
+
 events {
 	worker_connections 768;
 }
@@ -16,6 +18,9 @@ http {
 	tcp_nodelay on;
 	keepalive_timeout 65;
 	types_hash_max_size 2048;
+	ssl on;
+	ssl_certificate ../devcert.crt;
+	ssl_certificate_key ../devcert.key;
 	server {
 		#listen 50004;
 		#listen [::]:5004;
@@ -28,21 +33,23 @@ http {
 		location /test {
 			auth_request /oauthproxy/auth;
 			auth_request_set $auth_header $upstream_http_REMOTE_USER;
-			proxy_set_header REMOTE_USER $auth_header;
+			more_clear_input_headers REMOTE-USER; # prevent spoofing
+			proxy_set_header REMOTE-USER $auth_header;
 			proxy_pass http://localhost:5003;
 		}
 
 		location /oauthproxy/ {
-			proxy_set_header X-REDIRECT-URI "http://localhost:5004/oauthproxy/callback";
+			proxy_set_header X-REDIRECT-URI "https://localhost:5004/oauthproxy/callback";
 			proxy_set_header X-CLIENT-ID "test";
 			proxy_set_header X-CLIENT-SECRET "testsecret";
 			proxy_set_header X-SCOPE "userinfo";
-			proxy_pass http://localhost:5002/;
+			proxy_ssl_verify off;
+			proxy_pass https://localhost:5002/;
 		}
 
 		error_page 401 = @error401;
 		location @error401 {
-			return 302 /oauthproxy/login?url=http://$http_host$request_uri;
+			return 302 /oauthproxy/login?url=https://$http_host$request_uri;
 		}
 
 	}
-- 
GitLab