search

Theoderich / mod-auth-token

Automatically exported from code.google.com/p/mod-auth-token
Apache License 2.0
1 stars 0 forks source link

X-FORWARDED-FOR header instead of REMOTE_HOST #37

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?

1. configure auth_token as usual with IP check enabled.

2. try to access one of the protected the pages through any proxy, with the 
token generated for client IP address.

3. you will get "unauthorized", because auth_token is only seeing proxy IP 
address, and does not check "x-forwarded-for" header from the request.

What version of the product are you using? On what operating system?
1.0.6beta on Ubuntu 12.04.1 LTS x64

Please provide any additional information below.

It would be great, if this module can be configured to use any HTTP header in 
authentication, not just "remote_host"

Original issue reported on code.google.com by v.yesa...@gmail.com on 20 Sep 2012 at 7:24

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
A work-around is to use the apache module rpaf (see 
http://stderr.net/apache/rpaf/), which will make sure the X-Forwarded-For IP 
address is being used as origin IP address. This works for mod_auth_token 
1.0.6beta on Ubuntu 12.04 LTS x64 with HAProxy loadbalancer.

Original comment by nji...@gmail.com on 14 Mar 2013 at 11:26