Just in case, anyone else runs into this…. Only tested for our specific use case, running your own Tomcat server version 9.x instead of using the embedded.
The issue ended up being Tomcat requires a remote IP valve to handle client IPs behind a proxy. Added the following valve to the tomcat server.xml configuration: <Host name=”your.domain.org” ….> <Valve className=”org.apache.catalina.valves.RemoteIpValve” internalProxies=”<proxy server ips> … </Host> Reference here: http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve From: [email protected] <[email protected]> On Behalf Of King, Robert Sent: Friday, April 9, 2021 2:26 PM To: [email protected] Subject: [EXTERNAL SENDER] [cas-user] Endpoint security behind a proxy Is there a way to use x-forwarded-for when attempting actuator/endpoint security? Our current implementation uses IP_ADDRESS, but having moved behind an Apache proxy everything gets access to the endpoints since all access seems to come from the proxy server IP. cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses=<regex of local IPs> Is there a way to switch to x-forwarded-for IPs? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dbe3e891e8d46da896568c80e1f1f2d%40mun.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dbe3e891e8d46da896568c80e1f1f2d%40mun.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/841c7ef71fcf48a6b8102913e42b8365%40mun.ca.
