Merge pull request #835 from vshn/httpoxy

Mitigating Httpoxy
2016-07-22 15:14:36 +00:00 · 2016-07-22 15:14:36 +00:00 · fca0c6c150
commit fca0c6c150
parent e54f4dcaa2 b17020dca8
3 changed files with 12 additions and 0 deletions
--- a/manifests/config.pp
+++ b/manifests/config.pp
@ -92,6 +92,7 @@ class nginx::config(
    'Host $host',
    'X-Real-IP $remote_addr',
    'X-Forwarded-For $proxy_add_x_forwarded_for',
+    'Proxy ""',
  ],
  $proxy_hide_header              = [],
  $sendfile                       = 'on',
--- a/spec/defines/resource_location_spec.rb
+++ b/spec/defines/resource_location_spec.rb
@ -511,6 +511,14 @@ describe 'nginx::resource::location' do
        end
      end
      
+      context "when fastcgi_param is {'HTTP_PROXY' => '""'}" do
+        let :params do default_params.merge({ :fastcgi_param => {'HTTP_PROXY' => '""'} }) end
+        it "should set fastcgi_param" do
+        should contain_concat__fragment("vhost1-500-" + Digest::MD5.hexdigest("#{params[:location]}")).
+                  with_content(%r|fastcgi_param\s+HTTP_PROXY\s+"";|)
+        end
+      end
+
      context "when fastcgi_param is not set" do
        let :params do default_params end
        it "should not set fastcgi_param" do
--- a/templates/vhost/fastcgi_params.erb
+++ b/templates/vhost/fastcgi_params.erb
@ -25,3 +25,6 @@ fastcgi_param  HTTPS              $https;

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
+
+# Mitigate httpoxy, see https://httpoxy.org/#fix-now
+fastcgi_param  HTTP_PROXY          "";