0.3.0-beta2: don't leak Authorization header from the registry to the redirected destination during @handle_redirects

2020-04-03 15:33:46 +02:00
parent bbd4d60bc4
commit 19cbdfedfc
2 changed files with 8 additions and 2 deletions
--- a/nginx.conf
+++ b/nginx.conf
@@ -240,6 +240,12 @@ echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
            set $original_uri $uri;
            set $orig_loc $upstream_http_location;

+            # during this process, nginx will preserve the headers intended for the original destination.
+            # in most cases thats okay, but for some (eg: google storage), passing an Authorization
+            # header can cause problems. Also, that would leak the credentials for the registry
+            # into the storage system (unrelated).
+            proxy_set_header      Authorization "";
+
            # nginx goes to fetch the value from the upstream Location header
            proxy_pass $orig_loc;
            proxy_cache cache;