Bug 537784
| Summary: | Use X-Forwarded-For instead of REMOTE_ADDR for trusted proxies | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Community] Bugzilla | Reporter: | Noura El hawary <nelhawar> | ||||
| Component: | Bugzilla General | Assignee: | Noura El hawary <nelhawar> | ||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 3.4 | ||||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-11-17 09:31:05 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 509100 | ||||||
| Attachments: |
|
||||||
Created attachment 369693 [details]
v1 patch to use X-forwarded-for instead of remote_addr for trusted proxies
Hey Dave,
I have applied the upstream patch to our 3.4 branch, removed our similar code from Bugzilla.pm init_page, also for the new parameter 'inbound_proxies' included in the upstream patch in the new advanced parameter page, I have added it to our required_settings parameters page, as the upstream patch for the new advanced parameter page is still under review and marked for 3.6 release. I applied the patch to bz-web1 but couldn't test it there as bz-web1 is not working at the moment, but tested it in my localhost bugzilla along with the brute password patch and seems to be working good.
Thanks,
Noura
Comment on attachment 369693 [details]
v1 patch to use X-forwarded-for instead of remote_addr for trusted proxies
I already reviewed this upstream as well for Max so I am review+ here now as well.
Thanks Dave, patch committed Noura |
It's a somewhat-common situation that people have their Bugzilla behind some sort of proxy that does something (caching, SSL, etc.) with incoming traffic. Unfortunately, this breaks $ENV{REMOTE_ADDR}, because all traffic seems to be coming from the proxy. We need a parameter (for the Advanced section) that allows admins to specify the IP of their proxy, and then if traffic comes from that proxy, we trust the X-Forwarded-For header instead of the REMOTE_ADDR. dkl' comment on redhat bugzilla: We currently have a hack in Bugzilla.pm in init_page() that does similar that will need to be removed as well since we will now use the upstream method.