erp5: backend apache must not handle Remote-User

The backend haproxy must not handle the arbitrary variable Remote-User from headers. It isn't implemented authentication on this backend, so this setting is irrelevant by default. The proper way to handle authentication is use a trustfull frontend that will set this variable after properly authenticate the certificate and extract the user.

erp5: backend apache must not handle Remote-User
The backend haproxy must not handle the arbitrary variable Remote-User from headers. It isn't implemented authentication on this backend, so this setting is irrelevant by default. The proper way to handle authentication is use a trustfull frontend that will set this variable after properly authenticate the certificate and extract the user.
1bd75eee · Rafael Monnerat · 3d63cd39 · 1bd75eee · 1bd75eee
Commit 1bd75eee authored Feb 19, 2024 by Rafael Monnerat
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 4 deletions

stack/erp5/buildout.hash.cfg stack/erp5/buildout.hash.cfg +1 -1

stack/erp5/haproxy.cfg.in stack/erp5/haproxy.cfg.in +0 -3

No files found.
--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -94,7 +94,7 @@ md5sum = 0fad9497da12ed0186dca5236c23f3a7

 [template-haproxy-cfg]
 filename = haproxy.cfg.in
-md5sum = 2cd76971b64b0bf7771978ad07bfc2e5
+md5sum = 50c72e1934e589b0e26918cc53ee1fc0

 [template-rsyslogd-cfg]
 filename = rsyslogd.cfg.in

--- a/stack/erp5/haproxy.cfg.in
+++ b/stack/erp5/haproxy.cfg.in
@@ -192,9 +192,6 @@ listen {{ name }}

  # remove X-Forwarded-For unless client presented a verified certificate
  http-request del-header X-Forwarded-For unless { ssl_c_verify 0 } { ssl_c_used 1 }
-  # set Remote-User if client presented a verified certificate
-  http-request del-header Remote-User
-  http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_verify 0 } { ssl_c_used 1 }

  # reject invalid host header before using it in path
  http-request deny deny_status 400 if { req.hdr(host) -m sub / }