http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6800 Bug #: 6800 Summary: Koha authentication should handle proxies better Classification: Unclassified Change sponsored?: --- Product: Koha Version: rel_3_6 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: Authentication AssignedTo: jcamins@cpbibliography.com ReportedBy: jcamins@cpbibliography.com QAContact: koha-bugs@lists.koha-community.org CC: dpavlin@rot13.org At the moment, Koha's authentication/session feature uses the remote address for its sessions. In situations with load balancers or other proxies, the REMOTE_ADDRESS will be the proxy address rather than the client address. In order to handle proxied clients (or any clients when behind a load balancer), Koha needs to use the X-Forwarded-For header to identify the ultimate client. This problem can be seen by configuring Koha to listen on 127.0.0.1 and setting up a Squid proxy with the following configuration options on the same server: # BEGIN SQUID CONFIGURATION # The next two lines must go at the top of the squid configuration file: http_port ${PUBLIC_IP}:80 accel defaultsite=${YOUR_DOMAIN} vhost cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel # The next four lines must go AFTER the line "acl CONNECT method CONNECT acl our_sites dstdomain .${YOUR_DOMAIN} http_access allow our_sites cache_peer_access myAccel allow our_sites cache_peer_access myAccel deny all # END SQUID CONFIGURATION If you view the session log after connecting via ${PUBLIC_IP}:80, you will see an entry for 127.0.0.1. Although X-Forwarded-For can be spoofed, in situations where all clients would have the same immediate REMOTE_ADDRESS (e.g. load balancing, reverse proxy, corporate firewall), using X-Forwarded-For seems the lesser of two evils (if you're running the proxy, you can guarantee that the most recent entry in X-Forwarded-For is accurate). -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.