From 7ff3046c25cf6aec126da4a8eda9cf46abd36837 Mon Sep 17 00:00:00 2001 From: Jeff Ohrstrom Date: Thu, 8 Jan 2026 11:52:17 -0500 Subject: [PATCH] add strip_proxy_headers and strip_proxy_cookies to ood_portal.yml --- defaults/main/ood_portal.yml | 2 ++ .../config/ood_portal.yml.custom.apache2 | 15 ++++++++++++ .../config/ood_portal.yml.custom.httpd | 15 ++++++++++++ .../config/ood_portal.yml.default.apache2 | 12 ++++++++++ .../config/ood_portal.yml.default.httpd | 12 ++++++++++ .../config/ood_portal.yml.oidc.apache2 | 12 ++++++++++ .../fixtures/config/ood_portal.yml.oidc.httpd | 12 ++++++++++ molecule/default/vars/portal.yml | 5 +++- templates/ood_portal.yml.j2 | 24 +++++++++++++++++++ 9 files changed, 108 insertions(+), 1 deletion(-) diff --git a/defaults/main/ood_portal.yml b/defaults/main/ood_portal.yml index 5a8915f..48f08ca 100644 --- a/defaults/main/ood_portal.yml +++ b/defaults/main/ood_portal.yml @@ -20,6 +20,8 @@ maintenance_ip_allowlist: [] use_maintenance: true # security_csp_frame_ancestors: # security_strict_transport: +#strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +#strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] servername: localhost # proxy_server: diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 index debe5ee..9690c1d 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.custom.apache2 @@ -116,6 +116,21 @@ security_csp_frame_ancestors: http://my.proxy.server.edu # Default: true when ssl is enabled, false otherwise security_strict_transport: True +# Fix Cross-Site-Request authentication headers proxying +# Example: +# strip_proxy_headers: [] +# Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +strip_proxy_headers: + - 'Authorization' + - 'OIDC_access_token' + +# Fix Cross-Site-Request authentication cookies proxying +# Example: +# strip_proxy_cookies: [] +# Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +strip_proxy_cookies: + - 'mod_auth_openidc_session' + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers' diff --git a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd index 4fba974..59cea6f 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.custom.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.custom.httpd @@ -116,6 +116,21 @@ security_csp_frame_ancestors: http://my.proxy.server.edu # Default: true when ssl is enabled, false otherwise security_strict_transport: True +# Fix Cross-Site-Request authentication headers proxying +# Example: +# strip_proxy_headers: [] +# Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +strip_proxy_headers: + - 'Authorization' + - 'OIDC_access_token' + +# Fix Cross-Site-Request authentication cookies proxying +# Example: +# strip_proxy_cookies: [] +# Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +strip_proxy_cookies: + - 'mod_auth_openidc_session' + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers' diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 b/molecule/default/fixtures/config/ood_portal.yml.default.apache2 index 2c3bcf0..6dd1f1c 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.default.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.default.apache2 @@ -114,6 +114,18 @@ maintenance_ip_allowlist: [] # Default: true when ssl is enabled, false otherwise #security_strict_transport: false +# Fix Cross-Site-Request authentication headers proxying +# Example: +# strip_proxy_headers: [] +# Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +#strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] + +# Fix Cross-Site-Request authentication cookies proxying +# Example: +# strip_proxy_cookies: [] +# Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +#strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers' diff --git a/molecule/default/fixtures/config/ood_portal.yml.default.httpd b/molecule/default/fixtures/config/ood_portal.yml.default.httpd index 91d98ec..c20fbcb 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.default.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.default.httpd @@ -114,6 +114,18 @@ maintenance_ip_allowlist: [] # Default: true when ssl is enabled, false otherwise #security_strict_transport: false +# Fix Cross-Site-Request authentication headers proxying +# Example: +# strip_proxy_headers: [] +# Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +#strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] + +# Fix Cross-Site-Request authentication cookies proxying +# Example: +# strip_proxy_cookies: [] +# Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +#strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers' diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 index 330f25d..f7fc07b 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 +++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.apache2 @@ -115,6 +115,18 @@ security_csp_frame_ancestors: http://my.proxy.server.edu # Default: true when ssl is enabled, false otherwise security_strict_transport: True +# Fix Cross-Site-Request authentication headers proxying +# Example: +# strip_proxy_headers: [] +# Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +#strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] + +# Fix Cross-Site-Request authentication cookies proxying +# Example: +# strip_proxy_cookies: [] +# Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +#strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers' diff --git a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd index 0a69151..a6a31d0 100644 --- a/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd +++ b/molecule/default/fixtures/config/ood_portal.yml.oidc.httpd @@ -115,6 +115,18 @@ security_csp_frame_ancestors: http://my.proxy.server.edu # Default: true when ssl is enabled, false otherwise security_strict_transport: True +# Fix Cross-Site-Request authentication headers proxying +# Example: +# strip_proxy_headers: [] +# Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +#strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] + +# Fix Cross-Site-Request authentication cookies proxying +# Example: +# strip_proxy_cookies: [] +# Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +#strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers' diff --git a/molecule/default/vars/portal.yml b/molecule/default/vars/portal.yml index 3fbd683..5358082 100644 --- a/molecule/default/vars/portal.yml +++ b/molecule/default/vars/portal.yml @@ -29,4 +29,7 @@ ood_auth_openidc: OIDCSessionMaxDuration: 28888 OIDCClientID: myid OIDCProviderMetadataURL: https://localhost/ - OIDCCryptoPassphrase: mycryptopass \ No newline at end of file + OIDCCryptoPassphrase: mycryptopass + +strip_proxy_cookies: ["mod_auth_openidc_session"] +strip_proxy_headers: ["Authorization", "OIDC_access_token"] \ No newline at end of file diff --git a/templates/ood_portal.yml.j2 b/templates/ood_portal.yml.j2 index c47cfb7..2853c04 100644 --- a/templates/ood_portal.yml.j2 +++ b/templates/ood_portal.yml.j2 @@ -153,6 +153,30 @@ maintenance_ip_allowlist: [] {% else %}#security_strict_transport: false {% endif %} +# Fix Cross-Site-Request authentication headers proxying +# Example: +# strip_proxy_headers: [] +# Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +{% if strip_proxy_headers is defined %} +strip_proxy_headers: +{% for item in strip_proxy_headers %} + - '{{ item }}' +{% endfor %} +{% else %}#strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"] +{% endif %} + +# Fix Cross-Site-Request authentication cookies proxying +# Example: +# strip_proxy_cookies: [] +# Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +{% if strip_proxy_cookies is defined %} +strip_proxy_cookies: +{% for item in strip_proxy_cookies %} + - '{{ item }}' +{% endfor %} +{% else %}#strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"] +{% endif %} + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers'