add strip_proxy_headers and strip_proxy_cookies to ood_portal.yml #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

johrstrom merged 1 commit into master from proxy-headers

Jan 8, 2026

defaults/main/ood_portal.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -20,6 +20,8 @@ maintenance_ip_allowlist: [] @@
     use_maintenance: true
     # security_csp_frame_ancestors:
     # security_strict_transport:
+    #strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    #strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
     servername: localhost
     # proxy_server:
@@ Expand Down @@

molecule/default/fixtures/config/ood_portal.yml.custom.apache2

-Original file line number
+Diff line change
@@ Expand Up / @@ -116,6 +116,21 @@ security_csp_frame_ancestors: http://my.proxy.server.edu @@
     # Default: true when ssl is enabled, false otherwise
     security_strict_transport: True
+    # Fix Cross-Site-Request authentication headers proxying
+    # Example:
+    #   strip_proxy_headers: []
+    # Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    strip_proxy_headers:
+      - 'Authorization'
+      - 'OIDC_access_token'
+    # Fix Cross-Site-Request authentication cookies proxying
+    # Example:
+    #   strip_proxy_cookies: []
+    # Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    strip_proxy_cookies:
+      - 'mod_auth_openidc_session'
     # Root directory of the Lua handler code
     # Example:
     #     lua_root: '/path/to/lua/handlers'
@@ Expand Down @@

molecule/default/fixtures/config/ood_portal.yml.custom.httpd

-Original file line number
+Diff line change
@@ Expand Up / @@ -116,6 +116,21 @@ security_csp_frame_ancestors: http://my.proxy.server.edu @@
     # Default: true when ssl is enabled, false otherwise
     security_strict_transport: True
+    # Fix Cross-Site-Request authentication headers proxying
+    # Example:
+    #   strip_proxy_headers: []
+    # Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    strip_proxy_headers:
+      - 'Authorization'
+      - 'OIDC_access_token'
+    # Fix Cross-Site-Request authentication cookies proxying
+    # Example:
+    #   strip_proxy_cookies: []
+    # Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    strip_proxy_cookies:
+      - 'mod_auth_openidc_session'
     # Root directory of the Lua handler code
     # Example:
     #     lua_root: '/path/to/lua/handlers'
@@ Expand Down @@

molecule/default/fixtures/config/ood_portal.yml.default.apache2

-Original file line number
+Diff line change
@@ Expand Up / @@ -114,6 +114,18 @@ maintenance_ip_allowlist: [] @@
     # Default: true when ssl is enabled, false otherwise
     #security_strict_transport: false
+    # Fix Cross-Site-Request authentication headers proxying
+    # Example:
+    #   strip_proxy_headers: []
+    # Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    #strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    # Fix Cross-Site-Request authentication cookies proxying
+    # Example:
+    #   strip_proxy_cookies: []
+    # Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    #strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
     # Root directory of the Lua handler code
     # Example:
     #     lua_root: '/path/to/lua/handlers'
@@ Expand Down @@

molecule/default/fixtures/config/ood_portal.yml.default.httpd

-Original file line number
+Diff line change
@@ Expand Up / @@ -114,6 +114,18 @@ maintenance_ip_allowlist: [] @@
     # Default: true when ssl is enabled, false otherwise
     #security_strict_transport: false
+    # Fix Cross-Site-Request authentication headers proxying
+    # Example:
+    #   strip_proxy_headers: []
+    # Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    #strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    # Fix Cross-Site-Request authentication cookies proxying
+    # Example:
+    #   strip_proxy_cookies: []
+    # Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    #strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
     # Root directory of the Lua handler code
     # Example:
     #     lua_root: '/path/to/lua/handlers'
@@ Expand Down @@

molecule/default/fixtures/config/ood_portal.yml.oidc.apache2

-Original file line number
+Diff line change
@@ Expand Up / @@ -115,6 +115,18 @@ security_csp_frame_ancestors: http://my.proxy.server.edu @@
     # Default: true when ssl is enabled, false otherwise
     security_strict_transport: True
+    # Fix Cross-Site-Request authentication headers proxying
+    # Example:
+    #   strip_proxy_headers: []
+    # Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    #strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    # Fix Cross-Site-Request authentication cookies proxying
+    # Example:
+    #   strip_proxy_cookies: []
+    # Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    #strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
     # Root directory of the Lua handler code
     # Example:
     #     lua_root: '/path/to/lua/handlers'
@@ Expand Down @@

molecule/default/fixtures/config/ood_portal.yml.oidc.httpd

-Original file line number
+Diff line change
@@ Expand Up / @@ -115,6 +115,18 @@ security_csp_frame_ancestors: http://my.proxy.server.edu @@
     # Default: true when ssl is enabled, false otherwise
     security_strict_transport: True
+    # Fix Cross-Site-Request authentication headers proxying
+    # Example:
+    #   strip_proxy_headers: []
+    # Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    #strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    # Fix Cross-Site-Request authentication cookies proxying
+    # Example:
+    #   strip_proxy_cookies: []
+    # Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    #strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
     # Root directory of the Lua handler code
     # Example:
     #     lua_root: '/path/to/lua/handlers'
@@ Expand Down @@

molecule/default/vars/portal.yml

-Original file line number
+Diff line change
@@ Expand Up / @@ -29,4 +29,7 @@ ood_auth_openidc: @@
       OIDCSessionMaxDuration: 28888
       OIDCClientID: myid
       OIDCProviderMetadataURL: https://localhost/
-      OIDCCryptoPassphrase: mycryptopass
+      OIDCCryptoPassphrase: mycryptopass
+    strip_proxy_cookies: ["mod_auth_openidc_session"]
+    strip_proxy_headers: ["Authorization", "OIDC_access_token"]

templates/ood_portal.yml.j2

-Original file line number
+Diff line change
@@ Expand Up / @@ -153,6 +153,30 @@ maintenance_ip_allowlist: [] @@
     {% else %}#security_strict_transport: false
     {% endif %}
+    # Fix Cross-Site-Request authentication headers proxying
+    # Example:
+    #   strip_proxy_headers: []
+    # Default: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    {% if strip_proxy_headers is defined %}
+    strip_proxy_headers:
+    {% for item in strip_proxy_headers  %}
+      - '{{ item }}'
+    {% endfor %}
+    {% else %}#strip_proxy_headers: ["Authorization", "OIDC_CLAIM_sub", "OIDC_CLAIM_preferred_username", "OIDC_CLAIM_given_name", "OIDC_CLAIM_zoneinfo", "OIDC_CLAIM_locale", "OIDC_CLAIM_email", "OIDC_CLAIM_email_verified", "OIDC_CLAIM_iss", "OIDC_CLAIM_nonce", "OIDC_CLAIM_aud", "OIDC_CLAIM_acr", "OIDC_CLAIM_azp", "OIDC_CLAIM_auth_time", "OIDC_CLAIM_exp", "OIDC_CLAIM_iat", "OIDC_CLAIM_jti", "OIDC_access_token", "OIDC_access_token_expires"]
+    {% endif %}
+    # Fix Cross-Site-Request authentication cookies proxying
+    # Example:
+    #   strip_proxy_cookies: []
+    # Default: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    {% if strip_proxy_cookies is defined %}
+    strip_proxy_cookies:
+    {% for item in strip_proxy_cookies  %}
+      - '{{ item }}'
+    {% endfor %}
+    {% else %}#strip_proxy_cookies: ["mod_auth_openidc_session_\\d+", "mod_auth_openidc_session"]
+    {% endif %}
     # Root directory of the Lua handler code
     # Example:
     #     lua_root: '/path/to/lua/handlers'
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add strip_proxy_headers and strip_proxy_cookies to ood_portal.yml #280

Uh oh!

Diff view

Diff view

There are no files selected for viewing