Crowd should allow the definition of proxy servers whose X-Forwarded-For: it will trust.
Original customer description:
Our company policy is to run our Tomcat containers behind a Apache proxy. This proxy then forwards the requests to the Tomcat servers. In the case of Crowd it leads to an undesired situation. Crowd thinks the application authentication request comes from 127.0.0.1 instead of the external ip address of the application.
In Crowd therefore I cannot validate an application on it's ip address. Which might result in security hazards.
Is their another way to determine the original client ip-address instead of the proxy's ip-address?
- is related to
-
CWD-1017 Add toggle to turn off checking of remote-ip in Validation Factors
- Closed
[CWD-541] Allow specification of Trusted Proxy Servers
| Workflow | Original: JAC Suggestion Workflow [ 3389048 ] | New: JAC Suggestion Workflow 3 [ 3629494 ] |
| Status | Original: RESOLVED [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: Simplified Crowd Development Workflow v2 [ 1391177 ] | New: JAC Suggestion Workflow [ 3389048 ] |
| Issue Type | Original: Improvement [ 4 ] | New: Suggestion [ 10000 ] |
| Workflow | Original: Crowd Development Workflow v2 [ 273523 ] | New: Simplified Crowd Development Workflow v2 [ 1391177 ] |
| Workflow | Original: Feature Request Workflow [ 174481 ] | New: Crowd Development Workflow v2 [ 273523 ] |
Justin Koke
made changes -
| Workflow | Original: jira [ 115179 ] | New: Feature Request Workflow [ 174481 ] |
David O'Flynn [Atlassian]
made changes -
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
David O'Flynn [Atlassian]
made changes -
| Link | New: This issue incorporates CWD-1066 [ CWD-1066 ] |
David O'Flynn [Atlassian]
made changes -
| Description |
Original:
Our company policy is to run our Tomcat containers behind a Apache proxy. This proxy then forwards the requests to the Tomcat servers. In the case of Crowd it leads to an undesired situation. Crowd thinks the application authentication request comes from 127.0.0.1 instead of the external ip address of the application.
In Crowd therefore I cannot validate an application on it's ip address. Which might result in security hazards. Is their another way to determine the original client ip-address instead of the proxy's ip-address? |
New:
Crowd should allow the definition of proxy servers whose {{X-Forwarded-For:}} it will trust.
Original customer description: {quote}Our company policy is to run our Tomcat containers behind a Apache proxy. This proxy then forwards the requests to the Tomcat servers. In the case of Crowd it leads to an undesired situation. Crowd thinks the application authentication request comes from 127.0.0.1 instead of the external ip address of the application. In Crowd therefore I cannot validate an application on it's ip address. Which might result in security hazards. Is their another way to determine the original client ip-address instead of the proxy's ip-address?{quote} |
| Summary | Original: The application remote address validation should use the proxy forward addresses if available from the Apache proxy | New: Allow specification of Trusted Proxy Servers |
David O'Flynn [Atlassian]
made changes -
| Fix Version/s | New: 1.4.1 [ 13928 ] | |
| Fix Version/s | New: 1.5 [ 13607 ] |
David O'Flynn [Atlassian]
made changes -
| Remaining Estimate | New: 0h [ 0 ] | |
| Time Spent | New: 10h [ 36000 ] |
