satybald
commented
5 years ago I guess it will be really cool if Turnilo can trust all X-Forward* headers if it's behind a proxy and pass forward to the druid. cc: @mkuthan @adrianmroz
Open satybald opened 5 years ago
satybald
commented
5 years ago I guess it will be really cool if Turnilo can trust all X-Forward* headers if it's behind a proxy and pass forward to the druid. cc: @mkuthan @adrianmroz
adrianmroz
commented
5 years ago Hey! I see your request but sadly I'm not well versed with express to help.
satybald
commented
5 years ago would you agree with the approach that if turnilo is behind a proxy it should trust all X-Forward headers and Authorization header? @adrianmroz
satybald
commented
5 years ago before jumping to any implementation, just want to understand what does core contributors think about the approach.
mkuthan
commented
5 years ago Before jumping to further discussion it would be better to check plywood and plywood-druid-requester - Turnilo could forward anything but if the underlying libraries do not support additional headers it won't help anyway.
We're running turnilo behind OAuth proxy and want to enable basic authorization control on druid broker server based on X-Forwarded-user header with Turnilo. I found there's a setting trustPoxy, however, as it based on express.js [1] it doesn't do the trick [2].
Is there a way how to pass X-Forward-User/X-Forward-email headers? Any advice is highly appreciated.
Related to: https://github.com/allegro/turnilo/issues/88
Sources:
[1] https://github.com/allegro/turnilo/blob/master/src/server/app.ts#L65 [2] https://expressjs.com/en/guide/behind-proxies.html