Skip to content

Commit

Permalink
Do not send Proxy-Authorization when using Camel proxy policy
Browse files Browse the repository at this point in the history
  • Loading branch information
An Tran authored and tkan145 committed Nov 7, 2023
1 parent 260dca5 commit 4769da4
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 7 deletions.
5 changes: 4 additions & 1 deletion gateway/src/apicast/http_proxy.lua
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,10 @@ function _M.request(upstream, proxy_uri)
-- Only set "Proxy-Authorization" when sending HTTP request. When sent over HTTPS,
-- the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has
-- no visibility into the tunneled request.
if not ngx.var.http_proxy_authorization and proxy_auth then
--
-- Also DO NOT set the header if using the camel proxy to avoid unintended leak of
-- Proxy-Authorization header in requests
if not ngx.var.http_proxy_authorization and proxy_auth and not upstream.skip_https_connect then
ngx.req.set_header("Proxy-Authorization", proxy_auth)
end

Expand Down
13 changes: 7 additions & 6 deletions t/apicast-policy-camel.t
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,7 @@ EOF


=== TEST 5: API backend connection uses http proxy with Basic Auth
Check that the Proxy Authorization header is not sent
--- configuration
{
"services": [
Expand Down Expand Up @@ -358,7 +359,7 @@ EOF
access_by_lua_block {
assert = require('luassert')
local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
assert.equals(proxy_auth, "Basic Zm9vOmJhcg==")
assert.falsy(proxy_auth)
ngx.say("yay, api backend")
}
}
Expand All @@ -371,6 +372,7 @@ yay, api backend
using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT

=== TEST 6: API backend using all_proxy with Basic Auth
Check that the Proxy Authorization header is not sent
--- configuration
{
"services": [
Expand Down Expand Up @@ -411,7 +413,7 @@ using proxy: http://foo:[email protected]:$TEST_NGINX_HTTP_PROXY_PORT
access_by_lua_block {
assert = require('luassert')
local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
assert.equals(proxy_auth, "Basic Zm9vOmJhcg==")
assert.falsy(proxy_auth)
ngx.say("yay, api backend")
}
}
Expand All @@ -425,6 +427,7 @@ using proxy: http://foo:[email protected]:$TEST_NGINX_HTTP_PROXY_PORT


=== TEST 7: using HTTPS proxy for backend with Basic Auth.
Check that the Proxy Authorization header is not sent
--- init eval
$Test::Nginx::Util::PROXY_SSL_PORT = Test::APIcast::get_random_port();
$Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port();
Expand Down Expand Up @@ -473,10 +476,6 @@ EOF

location /test {
access_by_lua_block {
assert = require('luassert')
local proxy_auth = ngx.req.get_headers()['Proxy-Authorization']
assert.falsy(proxy_auth)

ngx.say("yay, endpoint backend")

}
Expand Down Expand Up @@ -505,3 +504,5 @@ GET /test?user_key=test3
<<EOF
using proxy: http://foo:bar\@127.0.0.1:$Test::Nginx::Util::PROXY_SSL_PORT,
EOF
--- no_error_log eval
[qr/\[error\]/, qr/\got header line: Proxy-Authorization: Basic Zm9vOmJhcg==/]

0 comments on commit 4769da4

Please sign in to comment.