Overdue PSA: Reverse-Proxy Headers in Domino 12.0.1FP1 and Newer

Jan 25, 2023, 12:03 PM

  1. Putting Apache in Front of Domino
  2. Better Living Through Reverse Proxies
  3. Domino's Server-Side User Security
  4. A Partially-Successful Venture Into Improving Reverse Proxies With Domino
  5. PSA: Reverse-Proxy Regression in Domino 12.0.1
  6. Overdue PSA: Reverse-Proxy Headers in Domino 12.0.1FP1 and Newer

Just over a year ago now, I wrote a blog post describing the sudden removal of my beloved HTTPEnableConnectorHeaders notes.ini parameter in the 12.0.1 release.

However, during the administration-focused OpenNTF Repair Café today, I was reminded that I never modified that post or made a followup to detail the changes since then. I plan to remedy that here!

The gist of the trouble with 12.0.1 was that the connector-headers capability was removed in 12.0.1 for "security" reasons, but no suitable replacement was put in their place. Fortunately, enough people made good use of these headers that HCL reversed course a bit, and in the process improved the capability slightly. I don't know if it's properly documented anywhere, though; in any event, I can't find the changes in a Google search.

In (I believe) 12.0.1 Fix Pack 1 and later, the HTTPEnableConnectorHeaders parameter is functional again, allowing you to use the reverse-proxy-focused headers like $WSRH for the connecting remote host. The change they made is to make a distinction between those "safe" headers and "dangerous" ones like $WSRU (which lets you specify the act-as user). Though a little blunt, this is a nice improvement. If you set just HTTPEnableConnectorHeaders to 1, then you'll get the headers primarily used for normal reverse-proxy use but SSO-related ones like $WSRU will be stripped from the incoming request. If you want to enable $WSRU, you can set HTTPEnableDangerousConnectorHeaders to 1 on top of the former and it'll act like pre-12.0.1.

While I still hope that they'll provide more fine-grained control, such as making the headers only function when the proxy server matches the "Trusted proxy IP list" setting in the server doc, and also supporting pseudo-standard headers like X-Forwarded-For, this is a step in the right direction.

New Comment