[Koha-bugs] [Bug 6800] Koha authentication should handle proxies better

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Sun Aug 28 17:31:49 CEST 2011 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6800

--- Comment #1 from Jared Camins-Esakov <jcamins at cpbibliography.com> 2011-08-28 15:31:49 UTC ---
Created attachment 5185
  --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=5185
proposed patch

Previously Koha always used the remote address for its sessions. This is a
problem where a sizable percentage of sessions are being routed through the
same proxy (for example, in the case of load balancers or reverse proxies,
or even a corporate proxy). This commit adds support for pulling the
client's IP address out of the X-Forwarded-For HTTP header, so that sessions
will be keyed to the client and not the proxy.

Although X-Forwarded-For can be spoofed, in situations where all clients
would have the same immediate REMOTE_ADDRESS (e.g. load balancing, reverse
proxy, corporate firewall), using X-Forwarded-For seems the lesser of two
evils (if you're running the proxy, you can guarantee that the most recent
entry in X-Forwarded-For is accurate, hence the behavior when the syspref is
set to require a routable IP).

=== SYSPREFS ===
This commit adds the syspref HandleXForwardedFor with the following options:
* Always use the address of the machine connecting to Koha as the client IP
    for authenticated sessions. This is appropriate for configurations with
    no reverse proxy or load balancer, and is exactly the same as the
    previous behavior.
* Always use the address of the machine with the web browser as the client
    IP for authenticated sessions. This is appropriate for configurations
    that are contained entirely within a LAN, and therefore non-routable IPs
    can be mapped to specific computers.
* Use the first routable address or the address of the last hop before the
    proxy as the client IP for authenticated sessions. This is appropriate
    for configurations that include a reverse proxy or load balancer exposed
    via the public Internet. Anyone connecting through an additional proxy
    will have their session linked to that proxy's IP.

=== API CHANGES ===
This commit adds the get_clientip method to C4::Auth to handle
identification of the client IP:

  my $clientip = get_clientip($remote_addr, $forwarded_for, $require_routable);

Parses the remote IP address (passed to the function in $remote_addr), the
X-Forwarded-For header (passed to the function in $forwarded_for), and
retrieves the IP address of the client, returning a string representation of
the IP address. If $require_routable is set to "first", this function will
always return the most-distant IP address. If $require_routable is set to
"routable", this function will choose the first routable IP address in the
list of relays, or the address immediately before the closest proxy. If
$require_routable is set to "ignore", this function will always return the

most recent hop (i.e. the remote address). "Ignore" is the default, if
$require_routable is not set.

=== TESTING INSTRUCTIONS ===
The problem with the current configuration in Koha can be seen by
configuring Koha to listen on 127.0.0.1 and setting up a Squid proxy with
the following configuration options on the same server:

 # BEGIN SQUID CONFIGURATION
 # The next two lines must go at the top of the squid configuration file:
http_port ${PUBLIC_IP}:80 accel defaultsite=${YOUR_DOMAIN} vhost
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel

 #  The next four lines must go AFTER the line "acl CONNECT method CONNECT
acl our_sites dstdomain .${YOUR_DOMAIN}
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
 # END SQUID CONFIGURATION

If you view the session log after connecting via ${PUBLIC_IP}:80, you will
see an entry for 127.0.0.1. This is the default behavior after this patch is
applied as well, but by changing the syspref HandleXForwardedFor to "Always
use the address of the originating machine," you can ensure that the IP that
shows up will always be the IP address of the machine with the web browser,
or by setting the syspref to "Use the first routable address or address of
last hop before proxy," you can ensure that the IP will always be either the
first routable address or the address of the system connecting to the
reverse proxy. On a LAN, the difference between those two options can be
tested by daisy-chaining a second squid proxy to the first, and connecting
through that.

In addition to these steps for testing, several tests have been added to
confirm that C4::Auth::get_clientip correctly handles valid input.

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.

More information about the Koha-bugs mailing list