phusion / passenger

A fast and robust web server and application server for Ruby, Python and Node.js
https://www.phusionpassenger.com/
MIT License
5.01k stars 547 forks source link

not a passenger issue (was: underscores_in_headers on; is not working on Passenger 4.0.60) #1917

Closed salmanasiddiqui closed 7 years ago

salmanasiddiqui commented 7 years ago

Question 1: What is the problem?

Be as detailed as possible in your descriptions, include any logs and stack traces (don't just cut/paste the error, provide some logging before that too).

(if you are requesting a feature instead of reporting an issue, describe here what you have in mind and how it would help you)

Your answer:

Question 2: Passenger version and integration mode:

Your answer:

Question 3: OS or Linux distro, platform (including version):

Your answer:

Question 4: Passenger installation method:

Your answer: [ ] RubyGems + Gemfile [ ] RubyGems, no Gemfile [ ] Phusion APT repo [ ] Phusion YUM repo [ ] OS X Homebrew [ ] source tarball [ Y ] Other, please specify:

Question 5: Your app's programming language (including any version managers) and framework (including versions):

Your answer:

Question 6: Are you using a PaaS and/or containerization? If so which one?

Your answer:

Question 7: Anything else about your setup that we should know?

Your answer:

OnixGH commented 7 years ago

Headers with underscores represent a security issue and are being filtered on purpose:

https://blog.phusion.nl/2015/12/07/cve-2015-7519/

salmanasiddiqui commented 7 years ago

So you mean underscores_in_headers on; in config.erb has no effect whatsoever?

OnixGH commented 7 years ago

That is an Nginx directive and has the effect that Nginx changes its behavior. Passenger will still drop the underscored header to resolve the vulnerability.

salmanasiddiqui commented 7 years ago

sorry to ping again. I am still confused. Passenger default nginx configuration template has underscores_in_headers on; But you are saying that passenger ignores it?

Is there any configuration or a way to let passenger 4.0.60 pass my specific headers with underscores?

OnixGH commented 7 years ago

Please see the blog link I gave for workarounds.

salmanasiddiqui commented 7 years ago

for anyone who wants to workaround the same issue:

http://thedataasylum.com/articles/adding-headers-to-requests-using-nginx-and-passenger.html

passenger_set_cgi_param HTTP_X_FORWARDED_FOR 127.0.0.1; Notice that the header name is all upper case, and has HTTP_ prefixed.

matuszewskijan commented 6 months ago

I was struggling with underscore headers removed by the Nginx/Passenger. Simply applying underscores_in_headers on; didn't work as it's a Nginx configuration as far as I understand it and Passenger still rewrites it.

What I did to fix it I have added a map definition to store the desired header in a variable Api_key in my case:

map $http_api_key $renamed_api_key {
    default "";  # Default case when the header is not present
    "~^(.+)$" $1;  # Pass through the original header value
}

and later in the server definition, I have added passenger_set_header API-KEY $renamed_api_key; The trick is that I am replacing underscore with a dash before it's passed further.

In my case an external API were sending us an authorization header with the underscores and so we just needed to access and change characters in one header.