foreman icon indicating copy to clipboard operation
foreman copied to clipboard

Published 20 hours ago verified publisher icon theforeman

Fixes #35527 - Include the remote IP in status

Open ekohl opened this issue 2 years ago • 4 comments

To verify everything is correctly configured for a Smart Proxy, the remote IP is useful. This is because Foreman can be configured to respect the X-Forwarded-For header from a Smart Proxy. The best way to check this is to send it from a Smart Proxy and check the response.

One possible implementation is for the Smart Proxy to send a request to /api/status with X-Forwarded-For: 192.0.2.42 as a header. Then if the remote_ip is not set to that value, there is a misconfiguration. This could be exposed on the Smart Proxy as a /verify endpoint. The registration protocol can then be enhanced to call /verify. This makes it harder to misconfigure a setup.

ekohl avatar Sep 14 '22 13:09 ekohl

Issues: #35527

theforeman-bot avatar Sep 14 '22 13:09 theforeman-bot

Some more thoughts I had: today I think this API may work without database access and can report if it's down. Does adding authentication break this because that needs DB access? Something to verify.

ekohl avatar Sep 15 '22 08:09 ekohl

Today, the endpoint requires user authentication, therefore it requires DB. If DB is down, it fails hard (tested).

ares avatar Nov 23 '22 10:11 ares

Today, the endpoint requires user authentication, therefore it requires DB. If DB is down, it fails hard (tested).

You're right. I was confusing this with /status but this is /api/status.

ekohl avatar Nov 23 '22 10:11 ekohl