timetagger
timetagger copied to clipboard
Reverse Proxy authentication trust doesn't work as expected
I've come across two issues when looking at reverse proxy authentication:
- https://github.com/encode/uvicorn/issues/1068 This is mostly only an issue when f.ex. testing with localhost. As a workaround, one can use the LAN IP to access the proxy instead.
More importantly:
- The application server used, uvicorn, has its own logic for parsing the
X-Forwarded-For
header. Combined with the functionality in timetagger, this will mangle/break the list of forwarded IPs for incoming requests, potentially even trusting fake headers sent by a client! To fix this, one has toexport FORWARDED_ALLOW_IPS=""
to disable the uvicorn parsing. See uvicorn docs.
For reference, I'm passing
--proxy_auth_header="X-Forwarded-User"
--proxy_auth_trusted="127.0.0.1"
--proxy_auth_enabled=True