DomainAuthHelper with proxied requests
Bug #1273168 reported by
Pawel Lewicki
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Zope PAS |
New
|
Undecided
|
Unassigned | ||
Bug Description
DomainAuthHelper plugin is not working in proxied environment. I suggest adding the processing of HTTP_X_
- Extra property 'use_proxy' to decide if proxied requests should be processed at all. I made it True by default as I think that is required behaviour if you add such plugin. At least in my case I was surprised not to have it working properly in HAProxy/Apache cluster. It may be changed to False if decided so. I added class-level variable for backward-
- Extra tests to check if new property is properly picked if 'use_proxy=True' and 'use_proxy=False'.
Revision history for this message
| Pawel Lewicki (lewicki-l) wrote | #1 |
Revision history for this message
| Wichert Akkerman (wichert) wrote | #2 |
To post a comment you must log in.
One thing I notice is that this patch does not parse the X-Forwarded-For header correctly. This header contains a comma-separated list of IP (IPv4 and/or IPv6) addresses, some of which can be completely bogus. If you want to use this header for anything security related you should provide a way to whitelist trusted IP addresses and only accept the last entry in the X-Forwarded-For header coming from a trusted IP address.