[Koha-bugs] [Bug 6800] New: Koha authentication should handle proxies better

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Sat Aug 27 16:23:09 CEST 2011 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6800

             Bug #: 6800
           Summary: Koha authentication should handle proxies better
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: rel_3_6
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Authentication
        AssignedTo: jcamins at cpbibliography.com
        ReportedBy: jcamins at cpbibliography.com
         QAContact: koha-bugs at lists.koha-community.org
                CC: dpavlin at rot13.org


At the moment, Koha's authentication/session feature uses the remote address
for its sessions. In situations with load balancers or other proxies, the
REMOTE_ADDRESS will be the proxy address rather than the client address. In
order to handle proxied clients (or any clients when behind a load balancer),
Koha needs to use the X-Forwarded-For header to identify the ultimate client.
This problem can be seen by configuring Koha to listen on 127.0.0.1 and setting
up a Squid proxy with the following configuration options on the same server:

# BEGIN SQUID CONFIGURATION
# The next two lines must go at the top of the squid configuration file:
http_port ${PUBLIC_IP}:80 accel defaultsite=${YOUR_DOMAIN} vhost
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel

# The next four lines must go AFTER the line "acl CONNECT method CONNECT
acl our_sites dstdomain .${YOUR_DOMAIN}
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
# END SQUID CONFIGURATION

If you view the session log after connecting via ${PUBLIC_IP}:80, you will see
an entry for 127.0.0.1. Although X-Forwarded-For can be spoofed, in situations
where all clients would have the same immediate REMOTE_ADDRESS (e.g. load
balancing, reverse proxy, corporate firewall), using X-Forwarded-For seems the
lesser of two evils (if you're running the proxy, you can guarantee that the
most recent entry in X-Forwarded-For is accurate).

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.

More information about the Koha-bugs mailing list