Forward X-Headers (Trust Proxy) option

[satybald]

We're running turnilo behind OAuth proxy and want to enable basic authorization control on druid broker server based on X-Forwarded-user header with Turnilo. I found there's a setting trustPoxy, however, as it based on express.js [1] it doesn't do the trick [2].

Is there a way how to pass X-Forward-User/X-Forward-email headers? Any advice is highly appreciated.

Related to: https://github.com/allegro/turnilo/issues/88

Sources:

[1] https://github.com/allegro/turnilo/blob/master/src/server/app.ts#L65 [2] https://expressjs.com/en/guide/behind-proxies.html

[satybald]

I guess it will be really cool if Turnilo can trust all X-Forward* headers if it's behind a proxy and pass forward to the druid. cc: @mkuthan @adrianmroz

[adrianmroz]

Hey! I see your request but sadly I'm not well versed with express to help.

[satybald]

would you agree with the approach that if turnilo is behind a proxy it should trust all X-Forward headers and Authorization header? @adrianmroz

[satybald]

before jumping to any implementation, just want to understand what does core contributors think about the approach.

[mkuthan]

Before jumping to further discussion it would be better to check plywood and plywood-druid-requester - Turnilo could forward anything but if the underlying libraries do not support additional headers it won't help anyway.