From b5fffd9a8d007d9744e3968622eadca3e96c5b49 Mon Sep 17 00:00:00 2001
From: David Beitey <david@davidjb.com>
Date: Wed, 30 Sep 2015 13:54:04 +1000
Subject: [PATCH] Add gotcha about subrequest header filtering

Turns out that subrequests aren't pushed through Nginx's header filters which means that a directive like add_header won't work in a shib_request (or auth_request etc).  Good to know!
---
 README.rst | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index fbe3c96..98b55a5 100644
--- a/README.rst
+++ b/README.rst
@@ -107,4 +107,15 @@ A simple example consists of the following::
         proxy_pass http://localhost:8080;
     }
 
-
+Note that we use the `headers-more-nginx-module <https://github.com/openresty/headers-more-nginx-module>`_
+to clear potentially dangerous input headers.
+
+Gotchas
+-------
+
+* Subrequests, such as the Shibboleth auth request, aren't processed through header filters.
+  This means that built-in directives like ``add_header`` will **not** work if configured
+  as part of the a ``/shibauthorizer`` block.  If you need to manipulate subrequest headers,
+  use ``more_set_headers`` from the module ``headers-more``.
+  
+  See http://forum.nginx.org/read.php?29,257271,257272#msg-257272.
-- 
GitLab