Fix workaround for HTTPoxy vulnerability

Three issues with the previous solution:
* `Header unset` instead of `RequestHeader unset`
* No check for mod_headers being installed
* No alternative for when mod_headers is not installed (this still
  requires the mod_security module, but that's the best I could do)
pull/39/head
Franz Liedke 8 years ago
parent 70a765a2c8
commit 569e3a3b5e
No known key found for this signature in database
GPG Key ID: 9A0231A879B055F4

@ -10,7 +10,13 @@
</IfModule> </IfModule>
# Fix for https://httpoxy.org vulnerability # Fix for https://httpoxy.org vulnerability
Header unset Proxy <IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>
<IfModule mod_security.c>
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"
</IfModule>
<IfModule mod_rewrite.c> <IfModule mod_rewrite.c>
RewriteEngine on RewriteEngine on

Loading…
Cancel
Save