Closed Gibby closed 4 years ago
mguinness
commented
4 years ago I might be able to add some middleware to automatically authenticate based on private network address. I sent you a message in TFP where we can continue discussion.
10.0. 0.0/8 IP addresses 172.16. 0.0/12 IP addresses 192.168. 0.0/16 IP addresses
Gibby
commented
4 years ago I would say it should be user configurable. My ingress vlan from NGINX is 172 from the outside so I wouldn't want that unless it is inspecting the X-Fordwarded-For https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
mguinness
commented
4 years ago Yes we can probably add a privateCIDR setting that can be set like "192.168. 0.0/16" in appsettings by the user.
There is already forwarded headers middleware that takes that header value and maps it into RemoteIpAddress and is enabled by setting env var ASPNETCORE_FORWARDEDHEADERS_ENABLED to true.
My idea of using middleware to automatically authenticate didn't work with Signalr, so I'll have to look into policy-based authorization but not sure when I'll be able to get to that.
mguinness
commented
4 years ago I was able to get it working after a while trying to figure out auth policy. You will need to add setting PrivateCIDR under Configuration section to a network in CIDR notation. If you're using nginx you'll also need to set environment variable ASPNETCORE_FORWARDEDHEADERS_ENABLED to true.
mguinness
commented
4 years ago Closed w/ commit https://github.com/mguinness/IntelliCenterGateway/commit/906bb11
I have nginx with lets encrypt fronting all my web apps so it passes X-Forward headers. It would be nice if I could specify local networks in IntelliCenterGateway that do not require authentication.