From 8ae9318cfee7a930fab025b379ae349d8f4fdd05 Mon Sep 17 00:00:00 2001 From: Ken Dreyer Date: Thu, 9 Apr 2020 16:32:55 -0600 Subject: [PATCH] doc/rgw: warn about "trust forwarded https" security Warn users about the implications of enabling this option when there is no trusted proxy in front of radosgw. Signed-off-by: Ken Dreyer --- doc/radosgw/config-ref.rst | 3 +++ src/common/options.cc | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/radosgw/config-ref.rst b/doc/radosgw/config-ref.rst index c9785c6b7979f..c818e11aa8e95 100644 --- a/doc/radosgw/config-ref.rst +++ b/doc/radosgw/config-ref.rst @@ -673,6 +673,9 @@ Swift Settings this option to trust the ``Forwarded`` and ``X-Forwarded-Proto`` headers sent by the proxy when determining whether the connection is secure. This is required for some features, such as server side encryption. + (Never enable this setting if you do not have a trusted proxy in front of + radosgw, or else malicious users will be able to set these headers in + any request.) :Type: Boolean :Default: ``false`` diff --git a/src/common/options.cc b/src/common/options.cc index 6e2df5f166354..c6964572bb4f8 100644 --- a/src/common/options.cc +++ b/src/common/options.cc @@ -6734,7 +6734,10 @@ std::vector