Ok, this makes a little more sense. So in an environment with many smart-proxies, the IP of each one would need to be included in this regexp?
I just assumed that foreman would take care of accepting X-Forwarded-For from smart-proxy IPs which are registered, since it already knows about them. This setting could use a little more detail in the manual, glad you recall. On Sunday, July 17, 2016 at 9:34:10 AM UTC-4, Greg Sutcliffe wrote: > > On 17 July 2016 at 06:42, adiran <[email protected] <javascript:>> > wrote: > >> I've been working through troubleshooting template requests via a >> smart-proxy without a token present. >> >> The request is from the client IP, which gets masked by the proxy on >> forward, but when I reviewed the code I noticed that the proxy inserts an >> X-Forwarded-For header, which foreman's unattended_controller looks at and >> is supposed to honour. >> >> However, I can't make sense of the following code: >> >> def ip_from_request_env >> ip = request.env['REMOTE_ADDR'] >> >> # check if someone is asking on behalf of another system (load >> balance etc) >> if request.env['HTTP_X_FORWARDED_FOR'].present? and (ip =~ >> Regexp.new(Setting[:remote_addr])) >> ip = request.env['HTTP_X_FORWARDED_FOR'] >> end >> >> ip >> end >> >> In my environment, foreman is running behind passenger, and the >> remote_addr setting is 127.0.0.1. >> >> When a request comes from a smart-proxy, the Regexp.new check fails, and >> 'ip' never gets set to the X-Forwarded-For IP, it retains the proxy's >> source IP, which fails to render. >> >> If I change the code to: >> >> if request.env['HTTP_X_FORWARDED_FOR'].present? >> >> everything works as I expect it to. >> >> Am I missing something here, or is the code not quite right? >> > > If I recall correctly (disclaimer, it's been a while :P), the default of > 127.0.0.1 is a security default which will prevent matching anything on the > network spoofing hosts without a valid token. This is the only sane default > when we (a priori) know little about the users network setup. I think you > just need to set :remote_addr to a regular expression which will match the > Smart Proxy's IP, so that the second half will succeed and use the header. > > Greg > -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
