tempurl ip restriction doesn't work behind proxy
Bug #1843577 reported by
Pawel Dudczak
This bug affects 6 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
New
|
Undecided
|
Unassigned |
Bug Description
I generate a temporary url to get objects from swift container with restriction per ip address, and when i try to get the object get the message:
"401 Unauthorized: Temp URL invalid".
In the swift code the ip address variable is taken from the "REMOTE_ADDR" environment variable, not from the http request header:
in file: swift/common/
client_address = env.get ('REMOTE_ADDR')
It would be good if the client's address will taken from the real client's address(forwarded by X-Forwarded-For header etc.) and not the server's proxy, without that the per ip address restrictions donsn't work
To post a comment you must log in.
I remember that there was a version of the patch that respected X-Forwarded-For, but I was worried about clients adding the header themselves and bypassing the IP restriction. Maybe it'd be ok as an opt-in config option to look at X-Forwarded- For/Forwarded headers, though? If an operator *knows* they only have swift binding to localhost while haproxy/ apache/ whatever- else has the publicly-accessible port, I suppose it seems safe enough...
What proxy do you have fronting swift? Does it support haproxy's PROXY protocol? I've had pretty good luck with https:/ /github. com/openstack/ swift/commit/ 661838d since we introduced it, and the either-or nature of it seems less risky (to me) than looking for a header which either
* isn't present at all, to-the- cluster load-balancer or such, or
* is present and was sent by an internal-
* is present and was sent by a client.