reverse_proxy: how to prevent stripping of headers with underscores / _ ?

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

https://caddyserver.com

Apache License 2.0

57.52k stars 4.01k forks source link

reverse_proxy: how to prevent stripping of headers with underscores / _ ? #6271

Closed luc-vocab closed 5 months ago

luc-vocab commented 5 months ago

I have two deployments of caddy in reverse proxy mode, which are used in an app that requires headers with underscores in them (for example api_key).

caddy 2.5.2-1 seems to allow those headers through
caddy 2.6.4-1 seems to strip those headers.

Is there a way to configure caddy to allow such headers through in proxy mode ? I started reading here https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#header_up but i'm not very clear how it would work, for example i've tried

       reverse_proxy http://127.0.0.1:8042 {
          header_up api_key
        }

francislavoie commented 5 months ago

Headers are passed through in their canonical form, i.e. with dashes. So Api-Key.

luc-vocab commented 5 months ago

What I see in flask (behind the caddy reverse proxy) is that headers with underscores are simply not passed through. I could be wrong, I'll double check.

mholt commented 5 months ago

I think this config: header_up api_key with no value overwrites the Api-Key field with an empty value.

luc-vocab commented 5 months ago

How do I allow passing through api_key unchanged ? this used to work.

mholt commented 5 months ago

This already works -- the header is not stripped, but the header is canonicalized/normalized to help prevent request smuggling/ambiguities. It's a security precaution.

Using this config:

:1234 {
    reverse_proxy 127.0.0.1:1235
}
:1235 {
   respond "API Key: {header.api_Key}"
}

and this request:

$ curl -v "http://localhost:1234" -H "api_key: asdf"

The output is:

API Key: asdf

HTTP specification requires that HTTP headers are case-insensitive: https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1

Applications that require case-sensitive header fields are in violation of the HTTP spec.

luc-vocab commented 5 months ago

Undrerstood ,thank you.

luc-vocab commented 5 months ago

FYI it turns out my bug has nothing to do with Caddy, and is due to this gunicorn 22.0.0 change: https://github.com/benoitc/gunicorn/commit/72b8970dbf2bf3444eb2e8b12aeff1a3d5922a9a obviously I should not have chosen "api_key" as a header, I will be remediating this.

mholt commented 5 months ago

Gotcha. Thanks for following-up!