On 17 July 2016 at 06:42, adiran <[email protected]> wrote: > I've been working through troubleshooting template requests via a > smart-proxy without a token present. > > The request is from the client IP, which gets masked by the proxy on > forward, but when I reviewed the code I noticed that the proxy inserts an > X-Forwarded-For header, which foreman's unattended_controller looks at and > is supposed to honour. > > However, I can't make sense of the following code: > > def ip_from_request_env > ip = request.env['REMOTE_ADDR'] > > # check if someone is asking on behalf of another system (load balance > etc) > if request.env['HTTP_X_FORWARDED_FOR'].present? and (ip =~ > Regexp.new(Setting[:remote_addr])) > ip = request.env['HTTP_X_FORWARDED_FOR'] > end > > ip > end > > In my environment, foreman is running behind passenger, and the > remote_addr setting is 127.0.0.1. > > When a request comes from a smart-proxy, the Regexp.new check fails, and > 'ip' never gets set to the X-Forwarded-For IP, it retains the proxy's > source IP, which fails to render. > > If I change the code to: > > if request.env['HTTP_X_FORWARDED_FOR'].present? > > everything works as I expect it to. > > Am I missing something here, or is the code not quite right? >
If I recall correctly (disclaimer, it's been a while :P), the default of 127.0.0.1 is a security default which will prevent matching anything on the network spoofing hosts without a valid token. This is the only sane default when we (a priori) know little about the users network setup. I think you just need to set :remote_addr to a regular expression which will match the Smart Proxy's IP, so that the second half will succeed and use the header. Greg -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
