Skip to content
Snippets Groups Projects
Commit 2c3a5d0c authored by David Beitey's avatar David Beitey
Browse files

Replace non-working clear_input_headers, fixes #13

parent 22fcefa3
No related branches found
No related tags found
No related merge requests found
......@@ -157,8 +157,7 @@ variables are passed around as headers.
#A secured location. Here all incoming requests query the
#FastCGI authorizer. Watch out for performance issues and spoofing.
location /secure {
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
include shib_clear_headers;
#Add your attributes here. They get introduced as headers
#by the FastCGI authorizer so we must prevent spoofing.
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
......@@ -173,7 +172,7 @@ variables are passed around as headers.
proxy_pass http://localhost:8080;
location = /secure2/shibboleth {
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
include shib_clear_headers;
#Add your attributes here. They get introduced as headers
#by the FastCGI authorizer so we must prevent spoofing.
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
......
......@@ -158,13 +158,19 @@ An example consists of the following::
# A secured location. All incoming requests query the Shibboleth FastCGI authorizer.
# Watch out for performance issues and spoofing!
location /secure {
more_clear_input_headers 'Variable-*' 'Shib-*' 'Remote-User' 'REMOTE_USER' 'Auth-Type' 'AUTH_TYPE';
shib_request /shibauthorizer;
shib_request_use_headers on;
# Attributes from Shibboleth are introduced as headers by the FastCGI
# authorizer so we must prevent spoofing. The
# ``shib_clear_headers`` is a set of default header directives,
# available in the `includes/` directory in this repository.
include shib_clear_headers;
# Add your attributes here. They get introduced as headers
# by the FastCGI authorizer so we must prevent spoofing.
# Add *all* attributes that your application uses, including all
#variations.
more_clear_input_headers 'displayName' 'mail' 'persistent-id';
shib_request /shibauthorizer;
# Backend application that will receive Shibboleth variables as request
# headers from the FastCGI authorizer
proxy_pass http://localhost:8080;
......@@ -176,7 +182,7 @@ An example consists of the following::
# supports parameters (by using the appropriate *_param option)
#
# The ``shib_fastcgi_params`` is an optional set of default parameters,
# available in this repository.
# available in the `includes/` directory in this repository.
location /secure-environment-vars {
shib_request /shibauthorizer;
include shib_fastcgi_params;
......@@ -192,11 +198,18 @@ Note that we use the `headers-more-nginx-module
potentially dangerous input headers and avoid the potential for spoofing. The
latter example with environment variables isn't susceptible to header
spoofing, as long as the backend reads data from the environment parameters
**only**. Bear in mind that some applications will try to read a
**only**.
A `default configuration
<https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/config/shib_clear_headers>`_
is available to clear the basic headers from the Shibboleth authorizer, but
you must ensure you write your own clear directives for all attributes your
application uses. Bear in mind that some applications will try to read a
Shibboleth attribute from the environment and then fall back to headers, so
review your application's code even if you are not using
``shib_request_use_headers``.
With use of ``shib_request_set``, a `default params
<https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/config/shib_fastcgi_params>`_
file is available which you can use as an nginx ``include`` to ensure all core
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment