Closed
Bug 611269
Opened 14 years ago
Closed 12 years ago
fill in X-Forwarded-For in bugzilla requests
Categories
(Webtools Graveyard :: BzAPI, enhancement, P1)
Webtools Graveyard
BzAPI
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: timeless, Assigned: gerv)
References
()
Details
bzapi is a proxy, it should fill in X-Forwarded-For ideally it should also have a conf field where you can specify trusted hosts from which it should transclude X-Forwarded-For values. On the bugzilla server side, someone would of course have to know about specific bzapi instances and choose to trust their X-Forwarded-For values, but that's unrelated.
Assignee | ||
Comment 1•14 years ago
|
||
So basically, you want me to set X-Forwarded-For to: join(",", $req->headers->{'X-Forwarded-For'}, $ENV{'REMOTE_ADDR'}) on all requests sent to Bugzilla? Gerv
Assignee | ||
Comment 2•14 years ago
|
||
timeless or reed: ping? Gerv
Assignee | ||
Comment 3•14 years ago
|
||
timeless or reed: reping? Gerv
Assignee | ||
Comment 4•13 years ago
|
||
Resolving INCOMPLETE due to lack of input from reporter... Gerv
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INCOMPLETE
Comment 6•13 years ago
|
||
re #c1, yes. If BzAPI has any type of proxies in front of it, things get complicated, but that's a simple fix, yes.
Status: RESOLVED → REOPENED
Priority: -- → P1
Resolution: INCOMPLETE → ---
Comment 7•13 years ago
|
||
Take a look at the code in https://github.com/jsocol/commonware/blob/master/commonware/request/middleware.py Implementing something similar would work great and be the best thing you can do.
Updated•13 years ago
|
Status: REOPENED → NEW
Assignee | ||
Comment 8•13 years ago
|
||
Reed: I'm really not sure how that code snippet applies to BzAPI. That code seems to be working out the correct REMOTE_ADDR by using X-Forwarded-For. Surely that's what an end application should do, not something working as a proxy? I've implemented comment 1. It's now live on the "/latest" install, and a lot of traffic flows through that. Can someone confirm it's working, by looking at requests to Bugzilla? Gerv
Assignee | ||
Comment 9•12 years ago
|
||
dkl/glob: Can either of you confirm this X-Forwarded-For is working, or tell me who can? Gerv
Comment 10•12 years ago
|
||
bmo only sees the header which zeus presents to it, so IT will have to check the zeus is configured to pass bzapi's x-forwarded-for header through to bmo (if possible). ashish should be able to help.
Comment 11•12 years ago
|
||
If you're sending one, zeus will tack your IP on the end and pass it through. Easiest way to tell is to authfail repeatedly via the bzapi so you get locked out. The lockout email will tell what IP it thought you were on. We've gotten a few (more than a week or two ago last time we got one) that had bzapi's IP address as the IP listed on the notice (which would indicate that it wasn't working). Based on the timing of comments you probably hadn't implemented it yet then.
Comment 12•12 years ago
|
||
(In reply to Dave Miller [:justdave] from comment #11) > Easiest way to tell is to authfail repeatedly via the bzapi so you get > locked out. The lockout email will tell what IP it thought you were on. i've just triggered another, and we're still getting the api-dev ip: > The IP address 63.245.210.151 failed too many login attempts (5) for > the account byron.jones@gmail.com. 63.245.210.151 is api-dev.bugzilla.mozilla.org. note: this ip is already included in bmo's inbound_proxies parameter.
Assignee | ||
Comment 13•12 years ago
|
||
It's been in place for several weeks now, but on the /latest endpoint only. So if people were using e.g. the /1.0 endpoint, they wouldn't have seen it. glob: which endpoint did you use? Gerv
Comment 14•12 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #13) > glob: which endpoint did you use? i used /latest
Assignee | ||
Comment 15•12 years ago
|
||
I've done a local test using an MITM proxy and it does seem like BzAPI is setting X-Forwarded-For correctly in my test system. Someone will need to look on b.m.o. at a request coming in from BzAPI and see whether it's coming through in the production system. If it's not, we need to figure out why. If it is, we need to figure out why Bugzilla isn't respecting it. Gerv
Assignee | ||
Comment 16•12 years ago
|
||
We figured this out - FastCGI doesn't populate $ENV{'REMOTE_ADDR'} so we had to get the info from elsewhere ($c->request->address) for the production system. Gerv
Status: NEW → RESOLVED
Closed: 13 years ago → 12 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•