removed-xforwarded-headers for all services ?

[fvanderbiest]

I'm wondering if we should not have header0.value=.* in https://github.com/georchestra/datadir/blob/master/security-proxy/removed-xforwarded-headers.properties ie: x-forwarded headers should not be sent to any server.

[landryb]

Mixed feelings about this, since it allows admins to detect badly configured services (relying on a user-provided header for content can lead to bad things) and fix them (cf geopicardie/osm-geopic-docker@d79d49d - and i just realized some of my services also had this issue - somehow, this only shows when apache is the RP in front of georchestra, not nginx ?)

The service admin needs to make sure he sanitizes the X-Forwarded-* headers in his reverse proxy before sending the request to a backend server.

Why were those headers sent in the first place ? I've read georchestra/georchestra#782 which adds the workaround for broken services, but havent found the justification for sending them. Header auth ?

[fvanderbiest]

this only shows when apache is the RP in front of georchestra, not nginx ?

Yes, IIRC, apache adds these headers when acting as a RP.