mod_proxy, mod_proxy_http: add options to tackle headers with underscores

[leo9800]

mod_proxy and mod_proxy_http currently pass request headers from user-agent to the backend, (url in ProxyPass) including those contains underscores. (_)

this may cause security issues with certain backends, per Section 17.10 of RFC 9110.

an example of such issue could be described as below:

Python's WSGI standard (PEP 3333) defined that WSGI server should pass HTTP request headers to WSGI application with HTTP_ prefixed keys in environ dictionary. this behaviour is similar to CGI.
during this procedure, all alphabets are uppercased and dashes (-) are converted to underscore (_), says, X-Forwarded-For is converted to HTTP_X_FORWARDED_FOR.
while underscore itself is remain unconverted, e.g. X_Forwarded_For is also mapped to HTTP_X_FORWARDED_FOR.
A malign actor may set X_Forwarded_For or something like X-Forwarded_For to trick the backend with a fake remote-IP, as frontend (apache) only 'always set' X-Forwarded-For, not the malformed version with underscores.

this patch introduces a new configuration entry ProxyUnderscoredHeaders, which has 3 possible options listed below, to mitigate such issues.

• Allow: allow all headers to be passed to the backend including those with underscores (default)
• Drop: remove headers with underscores in keys and pass remains to the backend
• Reject: reject the request with 400 Bad Request if headers with underscores were found

the Allow option, as default, avoids breaking changes to current behaviour, while Drop and Reject could be used to help mitigate such security issues.

also notice that nginx has a similar option named underscores_in_headers.