diff --git a/component/apache/apache-backend.conf.in b/component/apache/apache-backend.conf.in index 337a4a6ab79ee6a90a66ecb8266196788c194d99..c9501d1c248951394cff15a2524c720b00ecfda3 100644 --- a/component/apache/apache-backend.conf.in +++ b/component/apache/apache-backend.conf.in @@ -135,10 +135,11 @@ SSLProxyEngine On # As backend is trusting Remote-User header unset it always RequestHeader unset Remote-User +# Drop incoming X-Forwarded-For without valid client authentication +RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'" {% if ca_cert_dir -%} SSLVerifyClient optional RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s -RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'" SSLCACertificatePath {{ ca_cert_dir }} {% if crl_dir -%} SSLCARevocationCheck chain diff --git a/component/apache/buildout.hash.cfg b/component/apache/buildout.hash.cfg index 6c800b550f543e96df5b5acc2d1f5d6f019ca69d..57005d4ba251284ee9fa547183a86f6126b9387f 100644 --- a/component/apache/buildout.hash.cfg +++ b/component/apache/buildout.hash.cfg @@ -14,5 +14,5 @@ # not need these here). [template-apache-backend-conf] filename = apache-backend.conf.in -md5sum = 68ce79573bb2b39625ee6ef57c2e7f14 +md5sum = 5c6d6aacc092b23a02e1c6f4d51e8127