From: Ken Dreyer Date: Thu, 9 Apr 2020 22:32:55 +0000 (-0600) Subject: doc/rgw: warn about "trust forwarded https" security X-Git-Tag: v16.1.0~2268^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8ae9318cfee7a930fab025b379ae349d8f4fdd05;p=ceph.git doc/rgw: warn about "trust forwarded https" security Warn users about the implications of enabling this option when there is no trusted proxy in front of radosgw. Signed-off-by: Ken Dreyer --- diff --git a/doc/radosgw/config-ref.rst b/doc/radosgw/config-ref.rst index c9785c6b7979..c818e11aa8e9 100644 --- a/doc/radosgw/config-ref.rst +++ b/doc/radosgw/config-ref.rst @@ -673,6 +673,9 @@ Swift Settings this option to trust the ``Forwarded`` and ``X-Forwarded-Proto`` headers sent by the proxy when determining whether the connection is secure. This is required for some features, such as server side encryption. + (Never enable this setting if you do not have a trusted proxy in front of + radosgw, or else malicious users will be able to set these headers in + any request.) :Type: Boolean :Default: ``false`` diff --git a/src/common/options.cc b/src/common/options.cc index 6e2df5f16635..c6964572bb4f 100644 --- a/src/common/options.cc +++ b/src/common/options.cc @@ -6734,7 +6734,10 @@ std::vector