Clean connection headers for forward auth request only

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2024-09-27 11:18:05 +02:00 · 2024-09-27 11:18:05 +02:00 · a42d396ed2
commit a42d396ed2
parent b00f640d72
4 changed files with 30 additions and 30 deletions
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@ -637,3 +637,15 @@ Increasing the `readTimeout` value could be the solution notably if you are deal
 - TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
 - HTTP: `'499 Client Closed Request' caused by: context canceled`
 - HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
+
+## v2.11.3
+
+### Connection headers
+
+In `v2.11.3`, the handling of the request Connection headers directives has changed to prevent any abuse.
+Before, Traefik removed any header listed in the Connection header just before forwarding the request to the backends.
+Now, Traefik removes the headers listed in the Connection header as soon as the request is handled.
+As a consequence, middlewares do not have access to those Connection headers,
+and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
+
+Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.