Bug 1430640

Summary: "ProxyAddHeaders Off" does not become effective when it's defined outside <Proxy> setting
Product: Red Hat Enterprise Linux 7 Reporter: Masafumi Miura <mmiura>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Maryna Nalbandian <mnalband>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: bnater, cww, jhouska, jorton, luhliari
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: httpd-2.4.6-74.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 14:45:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420851, 1465904, 1466370    

Description Masafumi Miura 2017-03-09 08:00:32 UTC 
### Description of problem:

"ProxyAddHeaders Off" does not become effective when it's defined outside <Proxy> setting. X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server http headers are still passed to the backend server.

~~~ 
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyAddHeaders Off 

<Proxy "*">
   Require all granted
   # ...(any other config)...
</Proxy>
~~~


### Version-Release number of selected component (if applicable):

httpd-2.4.6-45.el7.x86_64


### How reproducible:

Anytime


### Steps to Reproduce:

1. Configure the above proxy config in Apache httpd
2. Start Apache httpd and backend server
3. Send http request 
4. See if X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers are passed to the backend server


### Actual results:

X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers are still passed to the backend server.


### Expected results:

X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers does not exist in the forwarded request header to the backend server.


### Additional info:

Workaround exists. When moving "ProxyAddHeaders Off" inside <Proxy> setting, it works like a charm:

~~~ 
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

<Proxy "*">
   ProxyAddHeaders Off 
   Require all granted
   # ...(any other config)...
</Proxy>
~~~
Comment 2 Joe Orton 2017-07-13 15:12:39 UTC 
This like a bug in 2.4, mod_proxy.c is not merging the config properly.

static void *merge_proxy_dir_config(apr_pool_t *p, void *basev, void *addv)
...
    new->add_forwarded_headers = add->add_forwarded_headers;
Comment 3 Joe Orton 2017-08-15 16:55:37 UTC 
Fixed upstream, https://svn.apache.org/viewvc?rev=1805099&view=rev
Comment 13 errata-xmlrpc 2018-04-10 14:45:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0826