From 0d3658adf08affb4fee08dfe7b8235156089f0b9 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Fri, 9 Apr 2021 17:27:22 +0200
Subject: [PATCH] REVERSE_PROXY_HEADERS - use proxy_set_header instead of
 more_set_headers

---
 README.md                 | 13 ++++++-------
 entrypoint/site-config.sh |  6 +++---
 2 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index b7056fd..02bb1c1 100644
--- a/README.md
+++ b/README.md
@@ -447,10 +447,10 @@ By default, *bunkerized-nginx* runs as non-root user inside the container and sh
 docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx
 ```
 
-## User namespace remap
-Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID 101 inside the container to a non-existent user with UID 100101 on the host.
+### User namespace remap
+Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID/GID 101 inside the container to a non-existent user with UID/GID 100101 on the host.
 
-Let's assume you have the /etc/subuid and /etc/subgid like this :  
+Let's assume you have the /etc/subuid and /etc/subgid files like this :  
 ```
 user:100000:65536
 ```
@@ -665,11 +665,10 @@ Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the co
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_WS_1`, `REVERSE_PROXY_WS_2`, `REVERSE_PROXY_WS_3`, ...
 
 `REVERSE_PROXY_HEADERS`  
-Values : *\<list of custom headers separated with a semicolon\>* 
-Examples : Access-Control-Allow-Origin 'https://mydomain.dev'; Custom_Api_Header 'test';
-Default value : ""  
+Values : *\<list of custom headers separated with a semicolon like this : header1 value1;header2 value2...\>* 
+Default value :  
 Context : *global*, *multisite*  
-Only valid when `USE_REVERSE_PROXY` is set to *yes*. Set it to *yes* when the corresponding `REVERSE_PROXY_HOST` is a WebSocket server.  
+Only valid when `USE_REVERSE_PROXY` is set to *yes*.  
 You can set multiple url/host by adding a suffix number to the variable name like this : `REVERSE_PROXY_HEADERS_1`, `REVERSE_PROXY_HEADERS_2`, `REVERSE_PROXY_HEADERS_3`, ...
 
 `PROXY_REAL_IP`  
diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh
index 4464ae2..e90cb74 100644
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@@ -68,10 +68,10 @@ if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
 		replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$url_value"
 		replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_HOST%" "$host_value"
 		if [ "$custom_headers_value" != "" ] ; then
-		  	IFS_=$IFS
+			IFS_$IFS
 			IFS=';'
-			for header_value in $(echo "$custom_headers_value") ; do
-				replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "more_set_headers $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
+			for header_value in $(echo $custom_headers_value) ; do
+				replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_CUSTOM_HEADERS%" "proxy_set_header $header_value;\n%REVERSE_PROXY_CUSTOM_HEADERS%"
 			done
 			IFS=$IFS_
 		fi