timetagger icon indicating copy to clipboard operation
timetagger copied to clipboard

Published 20 hours ago verified publisher icon almarklein

Reverse Proxy authentication trust doesn't work as expected

Open cfstras opened this issue 1 year ago • 8 comments

I've come across two issues when looking at reverse proxy authentication:

  1. https://github.com/encode/uvicorn/issues/1068 This is mostly only an issue when f.ex. testing with localhost. As a workaround, one can use the LAN IP to access the proxy instead.

More importantly:

  1. The application server used, uvicorn, has its own logic for parsing the X-Forwarded-For header. Combined with the functionality in timetagger, this will mangle/break the list of forwarded IPs for incoming requests, potentially even trusting fake headers sent by a client! To fix this, one has to export FORWARDED_ALLOW_IPS="" to disable the uvicorn parsing. See uvicorn docs.

For reference, I'm passing

--proxy_auth_header="X-Forwarded-User"
--proxy_auth_trusted="127.0.0.1"
--proxy_auth_enabled=True

cfstras avatar Mar 20 '23 21:03 cfstras