 |
|
Item14380: Foswiki should have option to use X-Forwarded-For to determine Client IP in reverse proxy configuration.
Priority: Normal
Current State: Closed
Released In: 2.1.8
Target Release: patch
Current State: Closed
Released In: 2.1.8
Target Release: patch
Applies To: Engine
Component: FoswikiEngine
Branches: master Item14288 Item14380 Item14537 Release02x01
Component: FoswikiEngine
Branches: master Item14288 Item14380 Item14537 Release02x01
{PROXY}{UseForwardedForHeader}
-- Main.GeorgeClark - 14 May 2017 - 18:26
See also Item14544
-- GeorgeClark - 27 Nov 2017
Re-opening this to work on for 2.1.5. Since the code already processes the Forwarding headers - incorrectly - this really is a bugfix. It needs to support:
X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port and X-Forwarded-Proto which may be present.
-- GeorgeClark - 27 Nov 2017
This feature is waiting for a release since when? Will backport it to 2.1.8 due to its importance. By the way the feature currently
is implemented using two boolean flags - UseForwardedFor and UseForwardedHeaders - other than documented. The above UseForwardedForHeader
is gone. Basically we only need one of the three: UseForwardedHeaders. This will activate scanning for X-Fowarded-* headers.
I've updated the priority of this task from "enhancement" to "normal" as Foswiki cannot be used behind a reverse proxy properly, i.e. when https is
being used on the outside and http between the reverse proxy and the backend. Deploying Foswiki using Docker we have:
browser <-[https]-> reverse proxy <-[http]-> nginx <-[fcgi]-> foswiki backendsIn words:
- all browser talk https hitting the reverse proxy
- the rev proxy uses plain http talking to the backend such as a docker image
- inside the docker image we have another nginx
- which itself uses fcgi to talk to foswiki
X-Forwarded-* headers in place, something like;
location / {
proxy_pass http://127.0.0.1;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Foswiki will need to parse those headers. It otherwise generates a mixed content html page ... which isn't processed for security reasons.
-- MichaelDaum - 24 Feb 2023
ItemTemplate edit
Edit | Attach | Print version | History: r23 < r22 < r21 < r20 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r23 - 06 Aug 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy