About Features Downloads Getting Started Documentation Events Support GitHub

Site Tools


administration:security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
administration:security [2020/06/29 12:11]
demiankatz
administration:security [2020/07/23 16:47] (current)
demiankatz
Line 62: Line 62:
  
 VuFind includes an administration module (accessible through <​nowiki>​http://​your_vufind_url/​Admin/​Home</​nowiki>​). ​ This is useful, but it should not be exposed to the general public. The access.AdminModule [[configuration:​permission_options|permission]] can be used to grant granular control to the module. The entire module can still be disabled using the System/​admin_enabled setting if desired. VuFind includes an administration module (accessible through <​nowiki>​http://​your_vufind_url/​Admin/​Home</​nowiki>​). ​ This is useful, but it should not be exposed to the general public. The access.AdminModule [[configuration:​permission_options|permission]] can be used to grant granular control to the module. The entire module can still be disabled using the System/​admin_enabled setting if desired.
 +
 +===== Proxies and IP Authentication =====
 +
 +If you rely on IP authentication for setting VuFind permissions,​ and if your VuFind server is located behind a proxy on the network, you may have difficulty accurately identifying users. There are HTTP headers, including X-Real-IP and X-Forwarded-For,​ which can be used to identify users on the other side of a proxy, but they can be easily spoofed.
 +
 +Starting with VuFind 7.0.1, the config.ini [Proxy] section contains an allow_forwarded_ips setting which can be used to control how VuFind identifies IP addresses based on HTTP headers. The full details on configuration options can be found in the comments in that file.
 +
 +By default, all IP-forwarding headers are ignored, but by turning on allow_forwarded_ips,​ you can tell VuFind which headers to trust, and how to handle multi-valued headers. You also have the option of extending/​overriding the VuFind\Net\UserIpReader class if you need to apply more nuanced, institution-specific logic.
 +
 +If you plan to use this feature, you should install one of the many available browser plugins for editing HTTP headers, and determine exactly how your proxy behaves when receiving falsified headers. (A quick way to do to this is to var_dump the $_SERVER superglobal in a PHP script that you can access through your proxy). Based on this information,​ you should be able to adjust the configuration of VuFind and/or your proxy to reduce the risk of spoofing.
  
 ===== Securing User Credentials ===== ===== Securing User Credentials =====
administration/security.txt · Last modified: 2020/07/23 16:47 by demiankatz