Drupal 10, the latest version of the open-source digital experience platform with even more features, is here.The problem affects mainly Drupal 8, but the mitigation is recommended anyway -- see https://httpoxy.org
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 0001-Mitigate-httpoxy.patch | 3.92 KB | memtkmcc |
Comments
Comment #2
memtkmcc CreditAttribution: memtkmcc at Omega8.cc commentedPatch for nginx attached for review.
Comment #3
memtkmcc CreditAttribution: memtkmcc at Omega8.cc commentedComment #4
helmo CreditAttribution: helmo at Initfour websolutions commentedAbout apache ...
Adding 'RequestHeader unset Proxy early' to the Apache/server.tpl.php is easy. But it does depend on mod_headers which we don't enable by default.
The Debian package could be made to handle this, but the regular upgrade script does not use root privileges... and so cannot.
Comment #5
colanWe can deal with both servers in this issue, but keeping the patches separate is fine with me. I'm about to review the Nginx patch above.
Comment #7
colanThat patch looked good; I just added some comment lines. Now onto Apache fixes... I won't be looking into this myself as I'm only running Nginx at the moment.
I also fixed the following:
* Drupal recipe on the Nginx wiki
* Nginx support in Aegir HTTPS (new home of HTTPS support)
Comment #8
colanSetting back to active for Apache.
Comment #9
helmo CreditAttribution: helmo at Initfour websolutions commentedI don't think we have to do anything (as Aegir) for Apache in this case ... They have updated packages available which cover this issue.
Debian 2.4.10-10+deb8u5 and for Ubuntu 2.4.18-2ubuntu3.1