not a passenger issue (was: underscores_in_headers on; is not working on Passenger 4.0.60)

[salmanasiddiqui]

Question 1: What is the problem?

• What is the expected behavior?
• What is the actual behavior?
• How can we reproduce it? Please try to provide a sample application (or Virtual Machine) demonstrating the issue. Otherwise, if we can't reproduce it, we might have to ask you a number of followup questions or run certain commands to try and figure out the problem.

Be as detailed as possible in your descriptions, include any logs and stack traces (don't just cut/paste the error, provide some logging before that too).

(if you are requesting a feature instead of reporting an issue, describe here what you have in mind and how it would help you)

Your answer:

• my rails controller should receive header having underscores
• my rails controller is not receiving header having underscores
• 1. Run rails app with passenger
• 2. send a request with headers having underscores. E.g: client_id.
• 3. Access client-id or client_id in your controller

Question 2: Passenger version and integration mode:

• For example: open source 5.0.26 standalone; enterprise 5.0.21/nginx

Your answer:

• Passenger version 4.0.60

Question 3: OS or Linux distro, platform (including version):

• For example: Debian 8, x86_64 or OS X 10.10 Yosemite, x86_64

Your answer:

• Amazon Linux and Ubuntu 16.04

Question 4: Passenger installation method:

Your answer: [ ] RubyGems + Gemfile [ ] RubyGems, no Gemfile [ ] Phusion APT repo [ ] Phusion YUM repo [ ] OS X Homebrew [ ] source tarball [ Y ] Other, please specify:

• I am using ElasticBeanstalk with passenger standalone ami. EB creates the instance with passenger preinstalled. I don't how EB created the AMI. But I have passenger in my gemfile.

Question 5: Your app's programming language (including any version managers) and framework (including versions):

• For example: Ruby 2.3.0, RVM, Rails 5.0.0; Node.js 4.0.0 with Express 4.13.4

Your answer:

• Ruby 2.3.1, Rails 5.0.0.1

Question 6: Are you using a PaaS and/or containerization? If so which one?

• For example: Heroku, Amazon Container Services, Docker 1.9 with an image based on passenger-docker

Your answer:

Question 7: Anything else about your setup that we should know?

Your answer:

• The issue is reproducible on local environment aswell running on Ubuntu 16.10

[OnixGH]

Headers with underscores represent a security issue and are being filtered on purpose:

https://blog.phusion.nl/2015/12/07/cve-2015-7519/

[salmanasiddiqui]

So you mean underscores_in_headers on; in config.erb has no effect whatsoever?

[OnixGH]

That is an Nginx directive and has the effect that Nginx changes its behavior. Passenger will still drop the underscored header to resolve the vulnerability.

[salmanasiddiqui]

sorry to ping again. I am still confused. Passenger default nginx configuration template has underscores_in_headers on; But you are saying that passenger ignores it?

Is there any configuration or a way to let passenger 4.0.60 pass my specific headers with underscores?

[OnixGH]

Please see the blog link I gave for workarounds.

[salmanasiddiqui]

for anyone who wants to workaround the same issue:

http://thedataasylum.com/articles/adding-headers-to-requests-using-nginx-and-passenger.html

passenger_set_cgi_param HTTP_X_FORWARDED_FOR 127.0.0.1; Notice that the header name is all upper case, and has HTTP_ prefixed.

[matuszewskijan]

I was struggling with underscore headers removed by the Nginx/Passenger. Simply applying underscores_in_headers on; didn't work as it's a Nginx configuration as far as I understand it and Passenger still rewrites it.

What I did to fix it I have added a map definition to store the desired header in a variable Api_key in my case:

map $http_api_key $renamed_api_key {
    default "";  # Default case when the header is not present
    "~^(.+)$" $1;  # Pass through the original header value
}

and later in the server definition, I have added passenger_set_header API-KEY $renamed_api_key; The trick is that I am replacing underscore with a dash before it's passed further.

In my case an external API were sending us an authorization header with the underscores and so we just needed to access and change characters in one header.