cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists

Feature Proposal: Optionally get client IP from the X-Forwarded-For header.

Motivation

When Foswiki is behind a Web Proxy, Load Balancer, or other appliances, Foswiki will only see the proxy server's IP address. This breaks IP Matching in sessions, masks the logs, and breaks plugins like BlackListPlugin.

Description and Documentation

Add a configuration parameter {PROXY}{ClientFromXForwardedFor} If enabled, Engine::CGI should parse the X-Forwarded-For, extract the Client IP and use it instead of the REMOTE_ADDR address when setting the query->remoteAddress

Also need to review any internal direct access to the REMOTE_ADDR environment variable.

Examples

Impact

%WHATDOESITAFFECT%
edit

Implementation

-- Contributors: GeorgeClark - 19 Apr 2017

Discussion

Looks to be pretty simple change to the Engine implementations. I'll just commit into master, as it will be disabled by default and is testing fine with mod_perl and CGI. Setting to merged.

Currently I have a Configure checker put up a warning if it detects a proxy. Should bootstrap automatically enable the header processing if it discovers foswiki is behind a proxy?

-- GeorgeClark - 14 May 2017
 
Topic revision: r3 - 14 May 2017, GeorgeClark - This page was cached on 23 Jun 2018 - 06:49.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy