Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 96282ef

Browse files
committed
Do not send Proxy-Authorization when using Camel proxy policy
1 parent 40965e4 commit 96282ef

2 files changed

Lines changed: 11 additions & 7 deletions

File tree

gateway/src/apicast/http_proxy.lua

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,10 @@ function _M.request(upstream, proxy_uri)
167167
-- Only set "Proxy-Authorization" when sending HTTP request. When sent over HTTPS,
168168
-- the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has
169169
-- no visibility into the tunneled request.
170-
if not ngx.var.http_proxy_authorization and proxy_auth then
170+
--
171+
-- Also DO NOT set the header if using the camel proxy to avoid unintended leak of
172+
-- Proxy-Authorization header in requests
173+
if not ngx.var.http_proxy_authorization and proxy_auth and not upstream.skip_https_connect then
171174
ngx.req.set_header("Proxy-Authorization", proxy_auth)
172175
end
173176

t/apicast-policy-camel.t

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -318,6 +318,7 @@ EOF
318318

319319

320320
=== TEST 5: API backend connection uses http proxy with Basic Auth
321+
Check that the Proxy Authorization header is not sent
321322
--- configuration
322323
{
323324
"services": [
@@ -358,7 +359,7 @@ EOF
358359
access_by_lua_block {
359360
assert = require('luassert')
360361
local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
361-
assert.equals(proxy_auth, "Basic Zm9vOmJhcg==")
362+
assert.falsy(proxy_auth)
362363
ngx.say("yay, api backend")
363364
}
364365
}
@@ -371,6 +372,7 @@ yay, api backend
371372
using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT
372373

373374
=== TEST 6: API backend using all_proxy with Basic Auth
375+
Check that the Proxy Authorization header is not sent
374376
--- configuration
375377
{
376378
"services": [
@@ -411,7 +413,7 @@ using proxy: http://foo:[email protected]:$TEST_NGINX_HTTP_PROXY_PORT
411413
access_by_lua_block {
412414
assert = require('luassert')
413415
local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
414-
assert.equals(proxy_auth, "Basic Zm9vOmJhcg==")
416+
assert.falsy(proxy_auth)
415417
ngx.say("yay, api backend")
416418
}
417419
}
@@ -425,6 +427,7 @@ using proxy: http://foo:[email protected]:$TEST_NGINX_HTTP_PROXY_PORT
425427

426428

427429
=== TEST 7: using HTTPS proxy for backend with Basic Auth.
430+
Check that the Proxy Authorization header is not sent
428431
--- init eval
429432
$Test::Nginx::Util::PROXY_SSL_PORT = Test::APIcast::get_random_port();
430433
$Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
@@ -473,10 +476,6 @@ EOF
473476

474477
location /test {
475478
access_by_lua_block {
476-
assert = require('luassert')
477-
local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
478-
assert.falsy(proxy_auth)
479-
480479
ngx.say("yay, endpoint backend")
481480

482481
}
@@ -505,3 +504,5 @@ GET /test?user_key=test3
505504
<<EOF
506505
using proxy: http://foo:bar\@127.0.0.1:$Test::Nginx::Util::PROXY_SSL_PORT,
507506
EOF
507+
--- no_error_log eval
508+
[qr/\[error\]/, qr/\got header line: Proxy-Authorization: Basic Zm9vOmJhcg==/]

0 commit comments

Comments
 (0)