Feature Proposal: Optionally get client IP from the X-Forwarded-For header.

Motivation

When Foswiki is behind a Web Proxy, Load Balancer, or other appliances, Foswiki will only see the proxy server's IP address. This breaks IP Matching in sessions, masks the logs, and breaks plugins like BlackListPlugin.

Description and Documentation

Add a configuration parameter {PROXY}{ClientFromXForwardedFor} If enabled, Engine::CGI should parse the X-Forwarded-For, extract the Client IP and use it instead of the REMOTE_ADDR address when setting the query->remoteAddress

Also need to review any internal direct access to the REMOTE_ADDR environment variable.

Examples

Impact

WhatDoesItAffect:

%WHATDOESITAFFECT%

edit

Implementation

-- Contributors: GeorgeClark - 19 Apr 2017

Discussion

Looks to be pretty simple change to the Engine implementations. I'll just commit into master, as it will be disabled by default and is testing fine with mod_perl and CGI. Setting to merged.

Currently I have a Configure checker put up a warning if it detects a proxy. Should bootstrap automatically enable the header processing if it discovers foswiki is behind a proxy?

-- GeorgeClark - 14 May 2017

This feature is much too important not to release it ASAP. Basically we cannot use Foswiki behind a reverse proxy ... which is very much best practice deploying Foswiki using Docker.

I will backport it to the 2.1.8er release.

-- MichaelDaum - 24 Feb 2023

Commenting is disabled while not logged in