Description
Crowd should allow the definition of proxy servers whose X-Forwarded-For: it will trust.
Original customer description:
Our company policy is to run our Tomcat containers behind a Apache proxy. This proxy then forwards the requests to the Tomcat servers. In the case of Crowd it leads to an undesired situation. Crowd thinks the application authentication request comes from 127.0.0.1 instead of the external ip address of the application.
In Crowd therefore I cannot validate an application on it's ip address. Which might result in security hazards.
Is their another way to determine the original client ip-address instead of the proxy's ip-address?
Attachments
Issue Links
- is related to
-
CWD-1017 Add toggle to turn off checking of remote-ip in Validation Factors
- Closed