search

shib71 / mod-auth-token

Automatically exported from code.google.com/p/mod-auth-token
Apache License 2.0
0 stars 1 forks source link

AuthTokenLimitByIp Fails Behind Proxy Cache #26

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Install Apache behind a squid or varnish proxy
2. Enable AuthTokenLimitByIp
3. Generate and use client token. 

Mod-Auth-Token uses the IP of the proxy server, and not that of the "real" 
client. Behind a single proxy things may appear to work, but there is no 
security provided (all clients will appear as the IP of the proxy).

Behind a proxy farm there will be random failures/successes.

If the app generating the token is not behind the same proxy as the server 
validating the token then IP validation will not work at all.

What is the expected output? What do you see instead?
The cache server should correctly set the X-Forwarded-For header. I expect 
mod-auth-token to enable the use of X-Forwarded-For header if required. It may 
be necessary to specify a list of "allowed" proxy addresses, and step through 
the X-Forwarded-For header to find the first non-allowed proxy server to use as 
the client IP.

Original issue reported on code.google.com by mich...@kennedy.ie on 25 Nov 2011 at 3:33

GoogleCodeExporter commented 8 years ago 
Use http://stderr.net/apache/rpaf/

He directs the X-Forwared-Host for apache and translates the user's IP.

Original comment by ren...@gestorp.com.br on 31 Mar 2012 at 11:32

GoogleCodeExporter commented 8 years ago 
You have to forward his ip as explained by renato.
Closing the issue. Thanks.

Original comment by teixeira...@gmail.com on 24 May 2012 at 7:13