Use X-Forwarded-For header instead of REMOTE_ADDRESS when request comes from IP in trusted pool
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
I sent an email to the list some time ago but nothing was decided:
" I'd like to suggest a new feature for the web server modules. Sometimes the application front-ends are behind a L7 load-balancer (or two) and in those cases all the requests seem to come from the IP of the load-balancer(s). This messes up the checkAddress et al checks.
It would be nice if we could specify a list of IPs so that when requests arrive from them, the IP stored in the "X-Forwarded-For" would be used instead of the IP in the request. "
What would be needed is a way to specifiy a list of IPs/netmasks and the header to use in that case.
I think this is a security issue since when you have a setup like this you have to set consistentAddress=false and checkAddress=false. As the number of shibboleth instalations increases in number and in size there will be more people in this situation.
Note this feature is usually unsafe to use, because proxy headers are easy to spoof.
André Cruz October 7, 2008 at 4:36 AM
In my case those front-ends are only publicly accessible via the LB. Only the developers sometimes access them directly through the backend network for testing purposes. So I guess the logic would be to use the specified header as the remote address, if available, otherwise use the normal REMOTE_ADDRESS.
I guess this is the normal case, yes...
Scott Cantor October 6, 2008 at 2:03 PM
Wouldn't it be likely that such an SP would not be accessible other than via that front-end? It would be much easier to just have a property to specify what header to look at for everything, rather than some kind of complex address matching.
I sent an email to the list some time ago but nothing was decided:
"
I'd like to suggest a new feature for the web server modules. Sometimes the application front-ends are behind a L7 load-balancer (or two) and in those cases all the requests seem to come from the IP of the load-balancer(s). This messes up the checkAddress et al checks.
It would be nice if we could specify a list of IPs so that when requests arrive from them, the IP stored in the "X-Forwarded-For" would be used instead of the IP in the request.
"
What would be needed is a way to specifiy a list of IPs/netmasks and the header to use in that case.
I think this is a security issue since when you have a setup like this you have to set consistentAddress=false and checkAddress=false. As the number of shibboleth instalations increases in number and in size there will be more people in this situation.