Endpoint security behind a proxy

61 views
Skip to first unread message

King, Robert

unread,
Apr 9, 2021, 12:55:59 PM4/9/21
to cas-...@apereo.org

Is there a way to use x-forwarded-for when attempting actuator/endpoint security?

 

Our current implementation uses IP_ADDRESS, but having moved behind an Apache proxy everything gets access to the endpoints since all access seems to come from the proxy server IP. 

 

cas.monitor.endpoints.endpoint.defaults.access=IP_ADDRESS

cas.monitor.endpoints.endpoint.defaults.requiredIpAddresses=<regex of local IPs>

 

Is there a way to switch to x-forwarded-for IPs?

King, Robert

unread,
Apr 19, 2021, 8:09:19 AM4/19/21
to cas-...@apereo.org

Just in case, anyone else runs into this….

 

Only tested for our specific use case, running your own Tomcat server version 9.x instead of using the embedded.

 

The issue ended up being Tomcat requires a remote IP valve to handle client IPs behind a proxy.  Added the following valve to the tomcat server.xml configuration:

 

<Host name=”your.domain.org” ….>

  <Valve className=”org.apache.catalina.valves.RemoteIpValve” internalProxies=”<proxy server ips>

  …

</Host>

 

 

Reference here:

 

http://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2dbe3e891e8d46da896568c80e1f1f2d%40mun.ca.

Reply all
Reply to author
Forward
0 new messages