http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6800
Jared Camins-Esakov <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #5185|0 |1 is obsolete| | --- Comment #4 from Jared Camins-Esakov <[email protected]> 2011-12-11 00:29:19 UTC --- Created attachment 6703 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6703 Bug 6800: Handle X-Forwarded-For headers Previously Koha always used the remote address for its sessions. This is a problem where a sizable percentage of sessions are being routed through the same proxy (for example, in the case of load balancers or reverse proxies, or even a corporate proxy). This commit adds support for pulling the client's IP address out of the X-Forwarded-For HTTP header, so that sessions will be keyed to the client and not the proxy. Although X-Forwarded-For can be spoofed, in situations where all clients would have the same immediate REMOTE_ADDRESS (e.g. load balancing, reverse proxy, corporate firewall), using X-Forwarded-For seems the lesser of two evils (if you're running the proxy, you can guarantee that the most recent entry in X-Forwarded-For is accurate, hence the behavior when the syspref is set to require a routable IP). === SYSPREFS === This commit adds the syspref HandleXForwardedFor with the following options: * Always use the address of the machine connecting to Koha as the client IP for authenticated sessions. This is appropriate for configurations with no reverse proxy or load balancer, and is exactly the same as the previous behavior. * Always use the address of the machine with the web browser as the client IP for authenticated sessions. This is appropriate for configurations that are contained entirely within a LAN, and therefore non-routable IPs can be mapped to specific computers. * Use the first routable address or the address of the last hop before the proxy as the client IP for authenticated sessions. This is appropriate for configurations that include a reverse proxy or load balancer exposed via the public Internet. Anyone connecting through an additional proxy will have their session linked to that proxy's IP. === API CHANGES === This commit adds the get_clientip method to C4::Auth to handle identification of the client IP: my $clientip = get_clientip($remote_addr, $forwarded_for, $require_routable); Parses the remote IP address (passed to the function in $remote_addr), the X-Forwarded-For header (passed to the function in $forwarded_for), and retrieves the IP address of the client, returning a string representation of the IP address. If $require_routable is set to "first", this function will always return the most-distant IP address. If $require_routable is set to "routable", this function will choose the first routable IP address in the list of relays, or the address immediately before the closest proxy. If $require_routable is set to "ignore", this function will always return the most recent hop (i.e. the remote address). "Ignore" is the default, if $require_routable is not set. === TESTING INSTRUCTIONS === The problem with the current configuration in Koha can be seen by configuring Koha to listen on 127.0.0.1 and setting up a Squid proxy with the following configuration options on the same server: # BEGIN SQUID CONFIGURATION # The next two lines must go at the top of the squid configuration file: http_port ${PUBLIC_IP}:80 accel defaultsite=${YOUR_DOMAIN} vhost cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel # The next four lines must go AFTER the line "acl CONNECT method CONNECT acl our_sites dstdomain .${YOUR_DOMAIN} http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all # END SQUID CONFIGURATION If you view the session log after connecting via ${PUBLIC_IP}:80, you will see an entry for 127.0.0.1. This is the default behavior after this patch is applied as well, but by changing the syspref HandleXForwardedFor to "Always use the address of the originating machine," you can ensure that the IP that shows up will always be the IP address of the machine with the web browser, or by setting the syspref to "Use the first routable address or address of last hop before proxy," you can ensure that the IP will always be either the first routable address or the address of the system connecting to the reverse proxy. On a LAN, the difference between those two options can be tested by daisy-chaining a second squid proxy to the first, and connecting through that. In addition to these steps for testing, several tests have been added to confirm that C4::Auth::get_clientip correctly handles valid input. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
