| Both sides previous revisionPrevious revision | Next revisionBoth sides next revision |
| administration:security [2020/08/24 17:43] – [Proxies and IP Authentication] demiankatz | administration:security [2020/08/31 14:40] – [Proxies and IP Authentication] demiankatz |
|---|
| If you rely on IP authentication for setting VuFind permissions, and if your VuFind server is located behind a proxy on the network, you may have difficulty accurately identifying users. There are HTTP headers, including X-Real-IP and X-Forwarded-For, which can be used to identify users on the other side of a proxy, but they can be easily spoofed. | If you rely on IP authentication for setting VuFind permissions, and if your VuFind server is located behind a proxy on the network, you may have difficulty accurately identifying users. There are HTTP headers, including X-Real-IP and X-Forwarded-For, which can be used to identify users on the other side of a proxy, but they can be easily spoofed. |
| |
| Starting with VuFind 7.0.1, the config.ini [Proxy] section contains allow_forwarded_ips and forwarded_ip_filter settings which can be used to control how VuFind identifies IP addresses based on HTTP headers. The full details on configuration options can be found in the comments in that file. | It may be possible to work around this problem through careful configuration of your proxy and use of the [[https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html|mod_remoteip]] Apache plugin. |
| | |
| | In case this approach is not possible, starting with VuFind 7.0.1, the config.ini [Proxy] section contains allow_forwarded_ips and forwarded_ip_filter settings which can be used to control how VuFind identifies IP addresses based on HTTP headers. The full details on configuration options can be found in the comments in that file. |
| |
| By default, all IP-forwarding headers are ignored, but by turning on allow_forwarded_ips, you can tell VuFind which headers to trust, and how to handle multi-valued headers. The forwarded_ip_filter setting can be used to filter own the addresses of known internal network devices. You also have the option of extending/overriding the VuFind\Net\UserIpReader class if you need to apply more nuanced, institution-specific logic. | By default, all IP-forwarding headers are ignored, but by turning on allow_forwarded_ips, you can tell VuFind which headers to trust, and how to handle multi-valued headers. The forwarded_ip_filter setting can be used to filter own the addresses of known internal network devices. You also have the option of extending/overriding the VuFind\Net\UserIpReader class if you need to apply more nuanced, institution-specific logic. |
