Merge pull request mattiasgeniar#31 from carlalexander/patch-1

Prevent CGI proxy hack
inkdawgz · Jul 19, 2016 · 1489fd6 · 1489fd6
2 parents 476adbb + 9614f76
commit 1489fd6
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/default.vcl b/default.vcl
@@ -65,6 +65,9 @@ sub vcl_recv {
 
   # Normalize the header, remove the port (in case you're testing this on various TCP ports)
   set req.http.Host = regsub(req.http.Host, ":[0-9]+", "");
+
+  # Remove the proxy header (see https://httpoxy.org/#mitigate-varnish)
+  unset req.http.proxy;
 
   # Normalize the query arguments
   set req.url = std.querysort(req.url);