Closed 40417256 closed 1 week ago
Hi @40417256
to be honest, your "To reproduce" list is not clear enough: you must enhance description of each step. Here you have at least 3 peers: a client, a proxy and a glpi server and you're not clear enough at least on that point.
There is no glpi server involved only an agent Client1 (ip 1)-----------| Proxy server (ip 3)|--------------------- glpi agent (ip 4) httpd-trust = 127.0.0.1, ip 1 (ip of client1) Client2 (ip 2)-----------|
There is no refresh link because the glpi agent uses the source packet which is always the proxy ip (ip 3)
Change to httpd-trust = 127.0.0.1, ip 3 (the ip of the proxy server) then the link appears for all clients (not the desired outcome).
The code must match httpd-trust = some ip, with the one from the the header x_forwarded_for (that contains the real ip of the client) and not the source ip
Sorry, still not clear enough. I even don't understand what you're trying to do: forget one second the header problem you're speaking about and explain what you want to be able to do.
Also you're telling there's no glpi server but you spoke about a web server in the issue description. Was you speaking about glpi-agent httpd interface ?
Hello sir,
I believe, that I am on the github of the glpi-agent ? And I do not know about any other agent part of the software suite ?
Okay, I won't loose more time with this issue and irony is definitively not a good answer when maintainer requests you to clarify your purpose.
I'll be on vacation for a week. I leave you this time to open another issue with understandable information.
Bug reporting acknowledgment
Yes, I read it
Professional support
None
Describe the bug
An agent behind a proxy server will not read x_forwarded_for header. Therefore a client whitelisted is not.
To reproduce
1) glpi agent latest with httpd-trust = 127.0.0.1,10.10.20.55 (this is the client pc) 2) wireshark capture ->
https://glpi-agent.test.net/
refresh page 3) in capture there is x-forwarded-for: 10.10.20.55 source ip is the proxy ip (10.10.20.1) of course 4) on the agent web page, there is no Force an inventory link 5) modify httpd-trust = 127.0.0.1,10.10.20.1 (ip of the proxy) 6) refresh page, Force an inventory link is present however any client can now force an inventoryExpected behavior
The expected behaviour is for the web server to read x_forwarded_for header from the http request when present and honour httpd-trust with the x_forwarded_for ip address rather than the source address.
Operating system
Linux
GLPI Agent version
v1.11
GLPI version
10.0.16
GLPIInventory plugin or other plugin version
Not applicable
Additional context
No response