From 3dc087e1b3b18f9c4470c3a26ff2a2f4525e1edd Mon Sep 17 00:00:00 2001 From: An Tran Date: Thu, 31 Aug 2023 00:01:08 +1000 Subject: [PATCH 1/8] Add support to use Basic Authentication with the forward proxy --- gateway/src/apicast/http_proxy.lua | 8 ++ gateway/src/resty/http/proxy.lua | 13 +- t/apicast-policy-camel.t | 201 +++++++++++++++++++++++++++++ t/apicast-policy-http-proxy.t | 166 ++++++++++++++++++++++++ 4 files changed, 384 insertions(+), 4 deletions(-) diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua index 66d5dca07..43d26d8a2 100644 --- a/gateway/src/apicast/http_proxy.lua +++ b/gateway/src/apicast/http_proxy.lua @@ -5,6 +5,7 @@ local resty_resolver = require 'resty.resolver' local round_robin = require 'resty.balancer.round_robin' local http_proxy = require 'resty.http.proxy' local file_reader = require("resty.file").file_reader +local concat = table.concat local _M = { } @@ -156,6 +157,13 @@ end function _M.request(upstream, proxy_uri) local uri = upstream.uri + if not ngx.var.proxy_authorization then + if proxy_uri.user or proxy_uri.password then + local proxy_auth = "Basic " .. ngx.encode_base64(concat({ proxy_uri.user or '', proxy_uri.password or '' }, ':')) + ngx.req.set_header("Proxy-Authorization", proxy_auth) + end + end + if uri.scheme == 'http' then -- rewrite the request to use http_proxy local err local host = upstream:set_host_header() diff --git a/gateway/src/resty/http/proxy.lua b/gateway/src/resty/http/proxy.lua index 2dc472d58..77487347f 100644 --- a/gateway/src/resty/http/proxy.lua +++ b/gateway/src/resty/http/proxy.lua @@ -56,17 +56,22 @@ local function _connect_proxy_https(httpc, request, host, port) local uri = request.uri - local ok, err = httpc:request({ + local res, err = httpc:request({ method = 'CONNECT', path = format('%s:%s', host, port or default_port(uri)), headers = { ['Host'] = request.headers.host or format('%s:%s', uri.host, default_port(uri)), + ['Proxy-Authorization'] = request.headers["Proxy-Authorization"] or '' } }) - if not ok then return nil, err end + if not res then return nil, err end - ok, err = httpc:ssl_handshake(nil, uri.host, request.ssl_verify) - if not ok then return nil, err end + if res.status < 200 or res.status > 299 then + return nil, "failed to establish a tunnel through a proxy: " .. res.status + end + + res, err = httpc:ssl_handshake(nil, uri.host, request.ssl_verify) + if not res then return nil, err end return httpc end diff --git a/t/apicast-policy-camel.t b/t/apicast-policy-camel.t index f95dcc081..fee684ea0 100644 --- a/t/apicast-policy-camel.t +++ b/t/apicast-policy-camel.t @@ -315,3 +315,204 @@ ETag: foobar < Date: Thu, 31 Aug 2023 16:24:58 +1000 Subject: [PATCH 2/8] Update CHANGELOG.md --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0ab10eab..c44cac79c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ### Added - Detect number of CPU shares when running on Cgroups V2 [PR #1410](https://github.com/3scale/apicast/pull/1410) [THREESCALE-10167](https://issues.redhat.com/browse/THREESCALE-10167) +### Added + +* Add support to use Basic Authentication with the forward proxy. [PR #1409](https://github.com/3scale/APIcast/pull/1409) ## [3.14.0] 2023-07-25 From caa1db9d89b5e1f59e4ec915d5440817a3fc5f05 Mon Sep 17 00:00:00 2001 From: An Tran Date: Mon, 25 Sep 2023 12:02:51 +1000 Subject: [PATCH 3/8] Correct the http header var --- gateway/src/apicast/http_proxy.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua index 43d26d8a2..507eb9dfc 100644 --- a/gateway/src/apicast/http_proxy.lua +++ b/gateway/src/apicast/http_proxy.lua @@ -157,7 +157,7 @@ end function _M.request(upstream, proxy_uri) local uri = upstream.uri - if not ngx.var.proxy_authorization then + if not ngx.var.http_proxy_authorization then if proxy_uri.user or proxy_uri.password then local proxy_auth = "Basic " .. ngx.encode_base64(concat({ proxy_uri.user or '', proxy_uri.password or '' }, ':')) ngx.req.set_header("Proxy-Authorization", proxy_auth) From b6081f74e6a44a826f5f158136428f2713f97618 Mon Sep 17 00:00:00 2001 From: An Tran Date: Wed, 27 Sep 2023 22:09:56 +1000 Subject: [PATCH 4/8] Minor refactor to avoid Proxy-Authorization leak --- gateway/src/apicast/http_proxy.lua | 22 ++++--- gateway/src/resty/http/proxy.lua | 2 +- t/apicast-policy-camel.t | 17 +----- t/apicast-policy-http-proxy.t | 14 ++--- t/http-proxy.t | 96 ++++++++++++++++++++++++++++++ 5 files changed, 119 insertions(+), 32 deletions(-) diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua index 507eb9dfc..10b313638 100644 --- a/gateway/src/apicast/http_proxy.lua +++ b/gateway/src/apicast/http_proxy.lua @@ -82,7 +82,7 @@ local function absolute_url(uri) ) end -local function forward_https_request(proxy_uri, uri, skip_https_connect) +local function forward_https_request(proxy_uri, proxy_auth, uri, skip_https_connect) -- This is needed to call ngx.req.get_body_data() below. ngx.req.read_body() @@ -102,7 +102,8 @@ local function forward_https_request(proxy_uri, uri, skip_https_connect) -- nil, so after this we need to read the temp file. -- https://github.com/openresty/lua-nginx-module#ngxreqget_body_data body = ngx.req.get_body_data(), - proxy_uri = proxy_uri + proxy_uri = proxy_uri, + proxy_auth = proxy_auth } if not request.body then @@ -156,15 +157,20 @@ end function _M.request(upstream, proxy_uri) local uri = upstream.uri + local proxy_auth - if not ngx.var.http_proxy_authorization then - if proxy_uri.user or proxy_uri.password then - local proxy_auth = "Basic " .. ngx.encode_base64(concat({ proxy_uri.user or '', proxy_uri.password or '' }, ':')) - ngx.req.set_header("Proxy-Authorization", proxy_auth) - end + if proxy_uri.user or proxy_uri.password then + proxy_auth = "Basic " .. ngx.encode_base64(concat({ proxy_uri.user or '', proxy_uri.password or '' }, ':')) end if uri.scheme == 'http' then -- rewrite the request to use http_proxy + -- Only set "Proxy-Authorization" when sending HTTP request. When sent over HTTPS, + -- the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has + -- no visibility into the tunneled request. + if not ngx.var.http_proxy_authorization and proxy_auth then + ngx.req.set_header("Proxy-Authorization", proxy_auth) + end + local err local host = upstream:set_host_header() upstream:use_host_header(host) @@ -177,7 +183,7 @@ function _M.request(upstream, proxy_uri) return elseif uri.scheme == 'https' then upstream:rewrite_request() - forward_https_request(proxy_uri, uri, upstream.skip_https_connect) + forward_https_request(proxy_uri, proxy_auth, uri, upstream.skip_https_connect) return ngx.exit(ngx.OK) -- terminate phase else ngx.log(ngx.ERR, 'could not connect to proxy: ', proxy_uri, ' err: ', 'invalid request scheme') diff --git a/gateway/src/resty/http/proxy.lua b/gateway/src/resty/http/proxy.lua index 77487347f..8f644869d 100644 --- a/gateway/src/resty/http/proxy.lua +++ b/gateway/src/resty/http/proxy.lua @@ -61,7 +61,7 @@ local function _connect_proxy_https(httpc, request, host, port) path = format('%s:%s', host, port or default_port(uri)), headers = { ['Host'] = request.headers.host or format('%s:%s', uri.host, default_port(uri)), - ['Proxy-Authorization'] = request.headers["Proxy-Authorization"] or '' + ['Proxy-Authorization'] = request.proxy_auth or '' } }) if not res then return nil, err end diff --git a/t/apicast-policy-camel.t b/t/apicast-policy-camel.t index fee684ea0..8b4fce6aa 100644 --- a/t/apicast-policy-camel.t +++ b/t/apicast-policy-camel.t @@ -389,7 +389,7 @@ using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT "name": "apicast.policy.apicast" }, { - "name": "apicast.policy.http_proxy", + "name": "apicast.policy.camel", "configuration": { "all_proxy": "http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT" } @@ -425,7 +425,6 @@ using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT === TEST 7: using HTTPS proxy for backend with Basic Auth. ---- ONLY --- init eval $Test::Nginx::Util::PROXY_SSL_PORT = Test::APIcast::get_random_port(); $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port(); @@ -436,7 +435,7 @@ $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port(); { "backend_version": 1, "proxy": { - "api_backend": "https://localhost:$Test::Nginx::Util::ENDPOINT_SSL_PORT", + "api_backend": "https://127.0.0.1:$Test::Nginx::Util::ENDPOINT_SSL_PORT", "proxy_rules": [ { "pattern": "/test", "http_method": "GET", "metric_system_name": "hits", "delta": 2 } ], @@ -476,15 +475,8 @@ EOF access_by_lua_block { assert = require('luassert') local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] - assert.equals(proxy_auth, "Basic Zm9vOmJhcg==") - - assert.equal('https', ngx.var.scheme) - assert.equal('$Test::Nginx::Util::ENDPOINT_SSL_PORT', ngx.var.server_port) - assert.equal('localhost', ngx.var.ssl_server_name) - assert.equal(ngx.var.request_uri, '/test?user_key=test3') + assert.falsy(proxy_auth) - local host = ngx.req.get_headers()["Host"] - assert.equal(host, 'localhost:$Test::Nginx::Util::ENDPOINT_SSL_PORT') ngx.say("yay, endpoint backend") } @@ -507,9 +499,6 @@ server { EOF --- request GET /test?user_key=test3 ---- more_headers -User-Agent: Test::APIcast::Blackbox -ETag: foobar --- error_code: 200 --- user_files fixture=tls.pl eval --- error_log eval diff --git a/t/apicast-policy-http-proxy.t b/t/apicast-policy-http-proxy.t index a89d86422..3a6cdb203 100644 --- a/t/apicast-policy-http-proxy.t +++ b/t/apicast-policy-http-proxy.t @@ -244,13 +244,11 @@ server_name test-upstream.lvh.me; GET /?user_key=value --- error_code: 200 --- error_log env -proxy request: CONNECT test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT HTTP/1.1 ---- error_log env using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT === TEST 5: using all_proxy with Basic Auth ---- configuration +--- configuration random_port env { "services": [ { @@ -297,8 +295,6 @@ server_name test-upstream.lvh.me; GET /?user_key=value --- error_code: 200 --- error_log env -proxy request: CONNECT test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT HTTP/1.1 ---- error_log env using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT @@ -347,16 +343,16 @@ location /test { echo_end; access_by_lua_block { - assert = require('luassert') + local assert = require('luassert') local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] - assert.equals(proxy_auth, "Basic Zm9vOmJhcg==") + assert.falsy(proxy_auth) } } --- request GET /test?user_key=test3 --- error_code: 200 ---- error_log env -proxy request: CONNECT test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT HTTP/1.1 --- user_files fixture=tls.pl eval --- error_log env using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT +proxy request: CONNECT test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT HTTP/1.1 +got header line: Proxy-Authorization: Basic Zm9vOmJhcg== diff --git a/t/http-proxy.t b/t/http-proxy.t index d896c8a2b..1e34a495a 100644 --- a/t/http-proxy.t +++ b/t/http-proxy.t @@ -1227,3 +1227,99 @@ proxy request: CONNECT test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT HTTP/1.1 --- no_error_log [error] --- user_files fixture=tls.pl eval + + +=== TEST 23: upstream API connection uses http proxy with BasicAuth +--- env eval +( + "http_proxy" => "http://foo:bar\@127.0.0.1:$ENV{TEST_NGINX_HTTP_PROXY_PORT}", + 'BACKEND_ENDPOINT_OVERRIDE' => "http://test_backend.lvh.me:$ENV{TEST_NGINX_SERVER_PORT}" +) +--- configuration +{ + "services": [ + { + "backend_version": 1, + "proxy": { + "api_backend": "http://test-upstream.lvh.me:$TEST_NGINX_SERVER_PORT", + "proxy_rules": [ + { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 } + ] + } + } + ] +} +--- backend +server_name test_backend.lvh.me; + location /transactions/authrep.xml { + content_by_lua_block { + ngx.exit(ngx.OK) + } + } +--- upstream +server_name test-upstream.lvh.me; + location / { + access_by_lua_block { + local assert = require('luassert') + local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] + assert.equals(proxy_auth, "Basic Zm9vOmJhcg==") + } + } +--- request +GET /?user_key=value +--- error_code: 200 +--- error_log env +using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT +--- no_error_log +[error] + + +=== TEST 24: upstream API connection uses proxy for https with BasicAuth +--- env eval +( + "https_proxy" => "http://foo:bar\@127.0.0.1:$ENV{TEST_NGINX_HTTP_PROXY_PORT}", + 'BACKEND_ENDPOINT_OVERRIDE' => "http://test_backend.lvh.me:$ENV{TEST_NGINX_SERVER_PORT}" +) +--- configuration random_port env +{ + "services": [ + { + "backend_version": 1, + "proxy": { + "api_backend": "https://test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT", + "proxy_rules": [ + { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 2 } + ] + } + } + ] +} +--- backend +server_name test_backend.lvh.me; + + location /transactions/authrep.xml { + content_by_lua_block { + ngx.exit(ngx.OK) + } + } +--- upstream env +server_name test-upstream.lvh.me; + +listen $TEST_NGINX_RANDOM_PORT ssl; +ssl_certificate $TEST_NGINX_SERVER_ROOT/html/server.crt; +ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/server.key; +location / { + echo_foreach_split '\r\n' $echo_client_request_headers; + echo $echo_it; + echo_end; +} +--- request +GET /test?user_key=test3 +--- error_code: 200 +--- error_log env +using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT +proxy request: CONNECT test-upstream.lvh.me:$TEST_NGINX_RANDOM_PORT HTTP/1.1 +got header line: Proxy-Authorization: Basic Zm9vOmJhcg== +--- no_error_log +[error] +--- user_files fixture=tls.pl eval From adf7c93db1043db2e0a6b221c6132f23e8ff50b1 Mon Sep 17 00:00:00 2001 From: An Tran Date: Mon, 23 Oct 2023 16:07:47 +1000 Subject: [PATCH 5/8] Update http_proxy documentation --- gateway/src/apicast/policy/http_proxy/Readme.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/gateway/src/apicast/policy/http_proxy/Readme.md b/gateway/src/apicast/policy/http_proxy/Readme.md index e7234d774..349028544 100644 --- a/gateway/src/apicast/policy/http_proxy/Readme.md +++ b/gateway/src/apicast/policy/http_proxy/Readme.md @@ -43,6 +43,8 @@ used. ## Configuration +The policy expect the URLS following the `http://[[:]@][:]` format, e.g.: + ``` "policy_chain": [ { @@ -51,15 +53,17 @@ used. { "name": "apicast.policy.http_proxy", "configuration": { - "all_proxy": "http://192.168.15.103:8888/", - "https_proxy": "https://192.168.15.103:8888/", - "http_proxy": "https://192.168.15.103:8888/" + "all_proxy": "http://foo:bar@192.168.15.103:8888/", + "https_proxy": "https://foo:bar@192.168.15.103:8888/", + "http_proxy": "https://foo:bar@192.168.15.103:8888/" } } ] ``` -- If http_proxy or https_proxy is not defined the all_proxy will be taken. +- If http_proxy or https_proxy is not defined the all_proxy will be taken. +- The policy supports for proxy authentication via the `` and `` options. +- The `` and `` are optional, all other components are required. ## Caveats @@ -67,7 +71,7 @@ used. always send to the proxy. - In case of HTTP_PROXY, HTTPS_PROXY or ALL_PROXY parameters are defined, this policy will overwrite those values. -- Proxy connection does not support authentication. +- 3scale currently does not support connecting to an HTTP proxy via TLS. For this reason, the scheme of the HTTPS_PROXY value is restricted to http. ## Example Use case From 836babc1ef3a88e3e133a0cc88c823c040a03039 Mon Sep 17 00:00:00 2001 From: An Tran Date: Mon, 23 Oct 2023 16:27:56 +1000 Subject: [PATCH 6/8] Update integration tests when sending http request through proxy Update tests to check if Proxy-Authorization reaches to the proxy server instead of asserting the header in the upstream block. --- t/apicast-policy-http-proxy.t | 7 ++----- t/fixtures/proxy.lua | 1 + t/http-proxy.t | 7 ++----- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/t/apicast-policy-http-proxy.t b/t/apicast-policy-http-proxy.t index 3a6cdb203..fd341b960 100644 --- a/t/apicast-policy-http-proxy.t +++ b/t/apicast-policy-http-proxy.t @@ -234,17 +234,14 @@ using proxy: $TEST_NGINX_HTTPS_PROXY --- upstream server_name test-upstream.lvh.me; location / { - access_by_lua_block { - local assert = require('luassert') - local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] - assert.equals(proxy_auth, "Basic Zm9vOmJhcg==") - } + echo 'yay, api backend!'; } --- request GET /?user_key=value --- error_code: 200 --- error_log env using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT +proxy http request - got header line: Proxy-Authorization: Basic Zm9vOmJhcg== === TEST 5: using all_proxy with Basic Auth diff --git a/t/fixtures/proxy.lua b/t/fixtures/proxy.lua index 4798f6772..675c5f548 100644 --- a/t/fixtures/proxy.lua +++ b/t/fixtures/proxy.lua @@ -113,6 +113,7 @@ local function forward_http_stream(sock, upstream) send(upstream, header_line) local header = re_match(header_line, [[(?[^:\s]+):\s*(?.+)\r\n$]]) + ngx.log(ngx.DEBUG, 'proxy http request - got header line: ', header_line) if header and str_lower(header.name) == 'content-length' then body_length = tonumber(header.value) diff --git a/t/http-proxy.t b/t/http-proxy.t index 1e34a495a..c19e0b9bc 100644 --- a/t/http-proxy.t +++ b/t/http-proxy.t @@ -1259,17 +1259,14 @@ server_name test_backend.lvh.me; --- upstream server_name test-upstream.lvh.me; location / { - access_by_lua_block { - local assert = require('luassert') - local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] - assert.equals(proxy_auth, "Basic Zm9vOmJhcg==") - } + echo 'yay, api backend!'; } --- request GET /?user_key=value --- error_code: 200 --- error_log env using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT +proxy http request - got header line: Proxy-Authorization: Basic Zm9vOmJhcg== --- no_error_log [error] From 260dca59658a3af752ad9d2da8c5560f343f8246 Mon Sep 17 00:00:00 2001 From: An Tran Date: Mon, 23 Oct 2023 18:25:59 +1000 Subject: [PATCH 7/8] Update proxy url in the documentation Proxy urls should all be http, https not supported --- gateway/src/apicast/policy/http_proxy/Readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gateway/src/apicast/policy/http_proxy/Readme.md b/gateway/src/apicast/policy/http_proxy/Readme.md index 349028544..579edfa98 100644 --- a/gateway/src/apicast/policy/http_proxy/Readme.md +++ b/gateway/src/apicast/policy/http_proxy/Readme.md @@ -54,8 +54,8 @@ The policy expect the URLS following the `http://[[:]@][ "name": "apicast.policy.http_proxy", "configuration": { "all_proxy": "http://foo:bar@192.168.15.103:8888/", - "https_proxy": "https://foo:bar@192.168.15.103:8888/", - "http_proxy": "https://foo:bar@192.168.15.103:8888/" + "https_proxy": "http://foo:bar@192.168.15.103:8888/", + "http_proxy": "http://foo:bar@192.168.15.103:8888/" } } ] From 4769da46609dbe5321c34c6902a53f1465a98a83 Mon Sep 17 00:00:00 2001 From: An Tran Date: Thu, 2 Nov 2023 16:08:17 +1000 Subject: [PATCH 8/8] Do not send Proxy-Authorization when using Camel proxy policy --- gateway/src/apicast/http_proxy.lua | 5 ++++- t/apicast-policy-camel.t | 13 +++++++------ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/gateway/src/apicast/http_proxy.lua b/gateway/src/apicast/http_proxy.lua index 10b313638..624aa0502 100644 --- a/gateway/src/apicast/http_proxy.lua +++ b/gateway/src/apicast/http_proxy.lua @@ -167,7 +167,10 @@ function _M.request(upstream, proxy_uri) -- Only set "Proxy-Authorization" when sending HTTP request. When sent over HTTPS, -- the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy has -- no visibility into the tunneled request. - if not ngx.var.http_proxy_authorization and proxy_auth then + -- + -- Also DO NOT set the header if using the camel proxy to avoid unintended leak of + -- Proxy-Authorization header in requests + if not ngx.var.http_proxy_authorization and proxy_auth and not upstream.skip_https_connect then ngx.req.set_header("Proxy-Authorization", proxy_auth) end diff --git a/t/apicast-policy-camel.t b/t/apicast-policy-camel.t index 8b4fce6aa..ddaac389c 100644 --- a/t/apicast-policy-camel.t +++ b/t/apicast-policy-camel.t @@ -318,6 +318,7 @@ EOF === TEST 5: API backend connection uses http proxy with Basic Auth +Check that the Proxy Authorization header is not sent --- configuration { "services": [ @@ -358,7 +359,7 @@ EOF access_by_lua_block { assert = require('luassert') local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] - assert.equals(proxy_auth, "Basic Zm9vOmJhcg==") + assert.falsy(proxy_auth) ngx.say("yay, api backend") } } @@ -371,6 +372,7 @@ yay, api backend using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT === TEST 6: API backend using all_proxy with Basic Auth +Check that the Proxy Authorization header is not sent --- configuration { "services": [ @@ -411,7 +413,7 @@ using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT access_by_lua_block { assert = require('luassert') local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] - assert.equals(proxy_auth, "Basic Zm9vOmJhcg==") + assert.falsy(proxy_auth) ngx.say("yay, api backend") } } @@ -425,6 +427,7 @@ using proxy: http://foo:bar@127.0.0.1:$TEST_NGINX_HTTP_PROXY_PORT === TEST 7: using HTTPS proxy for backend with Basic Auth. +Check that the Proxy Authorization header is not sent --- init eval $Test::Nginx::Util::PROXY_SSL_PORT = Test::APIcast::get_random_port(); $Test::Nginx::Util::ENDPOINT_SSL_PORT = Test::APIcast::get_random_port(); @@ -473,10 +476,6 @@ EOF location /test { access_by_lua_block { - assert = require('luassert') - local proxy_auth = ngx.req.get_headers()['Proxy-Authorization'] - assert.falsy(proxy_auth) - ngx.say("yay, endpoint backend") } @@ -505,3 +504,5 @@ GET /test?user_key=test3 <