Closed luc-vocab closed 5 months ago
Headers are passed through in their canonical form, i.e. with dashes. So Api-Key
.
What I see in flask (behind the caddy reverse proxy) is that headers with underscores are simply not passed through. I could be wrong, I'll double check.
I think this config: header_up api_key
with no value overwrites the Api-Key
field with an empty value.
How do I allow passing through api_key
unchanged ? this used to work.
This already works -- the header is not stripped, but the header is canonicalized/normalized to help prevent request smuggling/ambiguities. It's a security precaution.
Using this config:
:1234 {
reverse_proxy 127.0.0.1:1235
}
:1235 {
respond "API Key: {header.api_Key}"
}
and this request:
$ curl -v "http://localhost:1234" -H "api_key: asdf"
The output is:
API Key: asdf
HTTP specification requires that HTTP headers are case-insensitive: https://www.rfc-editor.org/rfc/rfc9110.html#section-5.1
Applications that require case-sensitive header fields are in violation of the HTTP spec.
Undrerstood ,thank you.
FYI it turns out my bug has nothing to do with Caddy, and is due to this gunicorn 22.0.0 change: https://github.com/benoitc/gunicorn/commit/72b8970dbf2bf3444eb2e8b12aeff1a3d5922a9a obviously I should not have chosen "api_key" as a header, I will be remediating this.
Gotcha. Thanks for following-up!
I have two deployments of caddy in reverse proxy mode, which are used in an app that requires headers with underscores in them (for example api_key).
Is there a way to configure caddy to allow such headers through in proxy mode ? I started reading here https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#header_up but i'm not very clear how it would work, for example i've tried