From 2153a81ec85da99dcd33aa87ff0df5d286f00e9d Mon Sep 17 00:00:00 2001
From: Matt Holt <mholt@users.noreply.github.com>
Date: Tue, 4 Oct 2022 23:37:01 -0600
Subject: [PATCH] forwardauth: Canonicalize header fields (fix #5038) (#5097)

---
 .../reverseproxy/forwardauth/caddyfile.go     | 39 +++++++++----------
 1 file changed, 18 insertions(+), 21 deletions(-)

diff --git a/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go b/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go
index a0b1f4213f2..cecc0001330 100644
--- a/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go
+++ b/modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go
@@ -38,29 +38,28 @@ func init() {
 // configured for most™️ auth gateways that support forward auth. The typical
 // config which looks something like this:
 //
-//     forward_auth auth-gateway:9091 {
-//         uri /authenticate?redirect=https://auth.example.com
-//         copy_headers Remote-User Remote-Email
-//     }
+//	forward_auth auth-gateway:9091 {
+//	    uri /authenticate?redirect=https://auth.example.com
+//	    copy_headers Remote-User Remote-Email
+//	}
 //
 // is equivalent to a reverse_proxy directive like this:
 //
-//     reverse_proxy auth-gateway:9091 {
-//         method GET
-//         rewrite /authenticate?redirect=https://auth.example.com
+//	reverse_proxy auth-gateway:9091 {
+//	    method GET
+//	    rewrite /authenticate?redirect=https://auth.example.com
 //
-//         header_up X-Forwarded-Method {method}
-//         header_up X-Forwarded-Uri {uri}
-//
-//         @good status 2xx
-//         handle_response @good {
-//             request_header {
-//                 Remote-User {http.reverse_proxy.header.Remote-User}
-//                 Remote-Email {http.reverse_proxy.header.Remote-Email}
-//             }
-//         }
-//     }
+//	    header_up X-Forwarded-Method {method}
+//	    header_up X-Forwarded-Uri {uri}
 //
+//	    @good status 2xx
+//	    handle_response @good {
+//	        request_header {
+//	            Remote-User {http.reverse_proxy.header.Remote-User}
+//	            Remote-Email {http.reverse_proxy.header.Remote-Email}
+//	        }
+//	    }
+//	}
 func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error) {
 	if !h.Next() {
 		return nil, h.ArgErr()
@@ -196,9 +195,7 @@ func parseCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error)
 	// need at least one handler in the routes for the response handling
 	// logic in reverse_proxy to not skip this entry as empty.
 	for from, to := range headersToCopy {
-		handler.Request.Set[to] = []string{
-			"{http.reverse_proxy.header." + from + "}",
-		}
+		handler.Request.Set.Set(to, "{http.reverse_proxy.header."+http.CanonicalHeaderKey(from)+"}")
 	}
 
 	goodResponseHandler.Routes = append(