Is it possible to ignore OIDCXForwardedHeaders mismatch warnings?

[CSC-swesters]

Hi all,

It seems we have an issue where OIDCXForwardedHeaders cannot be satisfied in any way, so there will be warning logs either way we configure them. Would it be possible to disable these warnings in mod_auth_openidc? Based on my reading of the source code, there does not currently seem to be a way.

https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.17.1/src/cfg/cfg.c#L445-L455

For context, we run mod_auth_openidc in conjunction with Open OnDemand ("OOD"). Httpd is at the edge of the network, so there is no proxy in front. Therefore, one would assume the OIDCXForwardedHeaders none would be the correct answer.

However, OOD is using a Lua module in httpd to set up its own proxy settings, and will inject request headers while doing this. OOD is primarily architected around proxying user-specific requests to per-user Nginx servers via unix sockets on the same host. See the relevant Lua line here:

https://github.com/OSC/ondemand/blob/v4.0.5/mod_ood_proxy/lib/ood/proxy.lua#L23

Also see the OOD ood-portal.conf.erb template, to see how the Lua hooks get invoked, e.g., in /node/ and /pun/ Locations:

https://github.com/OSC/ondemand/blob/v4.0.5/ood-portal-generator/templates/ood-portal.conf.erb

I tried reading debug logs from mod_auth_openidc a while ago, and it seems like httpd is invoking mod_auth_openidc multiple times during the same request. Possibly due to the multiple stages of processing (mod_ood_proxy -> mod_proxy at least, based on my understanding) that the request goes through? I'm not familiar with httpd internals, so please let me know.

The fact that mod_ood_proxy will add the X-Forwarded-Proto headers in the middle of the processing makes it impossible to pick a correct answer for OIDCXForwardedHeaders. Let me know if I've missed something, I'm happy to learn something new!

Around 35% of our httpd log lines from the Open OnDemand VirtualHost consist of these warnings, which feels a bit wasteful. I.e.:

# Using "OIDCXForwardedHeaders X-Forwarded-Proto"
oidc_check_x_forwarded_hdr: OIDCXForwardedHeaders configured for header X-Forwarded-Proto but not found in request, referer: https://my-redacted-hostname/pun/sys/dashboard/

# or, alternatively:

# Using "OIDCXForwardedHeaders none" (or undefined = default)
oidc_check_x_forwarded_hdr: header X-Forwarded-Proto received but OIDCXForwardedHeaders not configured for it, referer: https://my-redacted-hostname/pun/sys/dashboard/

See my issue at the OOD project: OSC/ondemand#3880

Thanks in advance!

--
Simon

[zandbelt]

support for suppressing those warnings was just added in a96e0f1; you'd use e.g.:

  SetEnvIfExpr true OIDC_CHECK_X_FORWARDED_HDR_LOG_DISABLE=X-Forwarded-Proto

[CSC-swesters]

Thank you so much! Impressive response time 🙂

For documentation purposes, I suppose users who want to ignore multiple header warnings would just list all the names one after another? For example:

  SetEnvIfExpr true OIDC_CHECK_X_FORWARDED_HDR_LOG_DISABLE="X-Forwarded-Proto X-Forwarded-Host X-Forwarded-Port"

I didn't test if that's correct httpd config syntax with the added quotation marks.

[zandbelt]

that is correct

[zandbelt]

this is included in release 2.4.17.2 now: https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.17.2