From c6af0cc83a079da6b47c53ffe1023a0735d3ca2b Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Tue, 5 May 2026 10:16:19 -0400 Subject: [PATCH] Use dashes in HTTP header names in SSL vhost config Some backends reject headers with underscores before converting dashes to underscores for application processing. Use dashes in RequestHeader names to match the HTTP vhost and ensure headers pass through the full proxy chain. Add a test to catch underscore usage in httpd config headers. Co-Authored-By: Claude Opus 4.6 --- src/roles/httpd/templates/external_auth.conf.j2 | 10 +++++----- src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 | 8 ++++---- tests/fixtures/help/features.txt | 0 tests/fixtures/help/migrate.txt | 0 tests/httpd_test.py | 4 ++++ 5 files changed, 13 insertions(+), 9 deletions(-) create mode 100644 tests/fixtures/help/features.txt create mode 100644 tests/fixtures/help/migrate.txt diff --git a/src/roles/httpd/templates/external_auth.conf.j2 b/src/roles/httpd/templates/external_auth.conf.j2 index 05e1d7d25..f181de2f4 100644 --- a/src/roles/httpd/templates/external_auth.conf.j2 +++ b/src/roles/httpd/templates/external_auth.conf.j2 @@ -15,11 +15,11 @@ LookupUserGroupsIter REMOTE_USER_GROUP # Set headers for proxy requests - RequestHeader set REMOTE_USER %{REMOTE_USER}e - RequestHeader set REMOTE_USER_EMAIL %{REMOTE_USER_EMAIL}e - RequestHeader set REMOTE_USER_FIRSTNAME %{REMOTE_USER_FIRSTNAME}e - RequestHeader set REMOTE_USER_LASTNAME %{REMOTE_USER_LASTNAME}e - RequestHeader set REMOTE_USER_GROUPS %{REMOTE_USER_GROUPS}e + RequestHeader set REMOTE-USER %{REMOTE_USER}e + RequestHeader set REMOTE-USER-EMAIL %{REMOTE_USER_EMAIL}e + RequestHeader set REMOTE-USER-FIRSTNAME %{REMOTE_USER_FIRSTNAME}e + RequestHeader set REMOTE-USER-LASTNAME %{REMOTE_USER_LASTNAME}e + RequestHeader set REMOTE-USER-GROUPS %{REMOTE_USER_GROUPS}e # GSSAPI/Kerberos authentication for web UI diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 index 3807529f0..af895755b 100644 --- a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 +++ b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 @@ -11,10 +11,10 @@ ## Request header rules ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader - RequestHeader set X_FORWARDED_PROTO "https" - RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s" - RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" - RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s" + RequestHeader set X-FORWARDED-PROTO "https" + RequestHeader set SSL-CLIENT-S-DN "%{SSL_CLIENT_S_DN}s" + RequestHeader set SSL-CLIENT-CERT "%{SSL_CLIENT_CERT}s" + RequestHeader set SSL-CLIENT-VERIFY "%{SSL_CLIENT_VERIFY}s" RequestHeader unset REMOTE-USER RequestHeader unset REMOTE_USER RequestHeader unset REMOTE-USER-EMAIL diff --git a/tests/fixtures/help/features.txt b/tests/fixtures/help/features.txt new file mode 100644 index 000000000..e69de29bb diff --git a/tests/fixtures/help/migrate.txt b/tests/fixtures/help/migrate.txt new file mode 100644 index 000000000..e69de29bb diff --git a/tests/httpd_test.py b/tests/httpd_test.py index 994d79335..c2104b60f 100644 --- a/tests/httpd_test.py +++ b/tests/httpd_test.py @@ -104,3 +104,7 @@ def test_httpd_event_conf_contains_threads_per_child(server): def test_httpd_config_syntax(server): cmd = server.run("httpd -t") assert cmd.succeeded + +def test_httpd_headers_use_dashes(server): + cmd = server.run("grep -rPn 'RequestHeader\\s+set\\s+\\S*_\\S*\\s' /etc/httpd/conf.d/foreman.conf /etc/httpd/conf.d/foreman-ssl.conf /etc/httpd/conf.d/05-foreman.d/ /etc/httpd/conf.d/05-foreman-ssl.d/ 2>/dev/null") + assert cmd.stdout.strip() == '', f"HTTP header names should use dashes, not underscores:\n{cmd.stdout}"