DomainAuthHelper with proxied requests

Bug #1273168 reported by Pawel Lewicki
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope PAS

Bug Description

DomainAuthHelper plugin is not working in proxied environment. I suggest adding the processing of HTTP_X_FORWARDED_FOR request variable. I made a proposal in attached patch:

- Extra property 'use_proxy' to decide if proxied requests should be processed at all. I made it True by default as I think that is required behaviour if you add such plugin. At least in my case I was surprised not to have it working properly in HAProxy/Apache cluster. It may be changed to False if decided so. I added class-level variable for backward-compatibility.
- Extra tests to check if new property is properly picked if 'use_proxy=True' and 'use_proxy=False'.

Revision history for this message
Pawel Lewicki (lewicki-l) wrote :
Revision history for this message
Wichert Akkerman (wichert) wrote :

One thing I notice is that this patch does not parse the X-Forwarded-For header correctly. This header contains a comma-separated list of IP (IPv4 and/or IPv6) addresses, some of which can be completely bogus. If you want to use this header for anything security related you should provide a way to whitelist trusted IP addresses and only accept the last entry in the X-Forwarded-For header coming from a trusted IP address.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers