bryanlittlefield / TUGBOAT

The straight to code approach for dev environments
GNU General Public License v3.0
6 stars 5 forks source link

Proxy serves different REMOTE_ADDR for visitors, need to checkout for X-Forwarded-For when applicable. #63

Open ninasarabia opened 6 years ago

ninasarabia commented 6 years ago

When using HAProxy, the server var REMOTE_ADDR outputs as the DO droplet IP so IPs cannot be whitelisted on HAProxy enabled droplets. The apache definition done for htpasswd would need to check X-Forwarded-For for the correct visitor IP.

Below was a revision that worked for me (with ${WHITELIST_IP} hardcoded during my testing). From what I can see, you're doing some sed replacement in TUGBOAT-php, so that would need to be accounted for here.

Order deny,allow
Deny from all
SetEnvIF X-Forwarded-For "${WHITELIST_IP}" AllowIP
<RequireAny>
        Require env AllowIP
</RequireAny>
AllowOverride All
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Allow from env=AllowIP
Allow from ${WHITELIST_IP}
Satisfy Any