We have the following experimental setup for Crowd. There are 3 docker containers running in Ubuntu - Crowd, Postgres and NGINX as a reverse proxy. The idea was that this setup should be easily replicated and started with docker-sompose on different host when needed.
Everything starts up and runs ok. I configured Crowd to connect to Postgres and added new Confluence client application. However when I try to authenticate user in Confluence it shows Crowd exception like the following:
"HTTP Status 403 - Client with address "172.18.0.5" is forbidden from making requests to the application"
172.18.0.5 is one of the internal docker IP addresses - I believe it is one of the NGINX container. I can not figure out why is it showing this address instead of real remote IP. I have these lines in NGINX configuration:
location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; port_in_redirect off; proxy_redirect http://crowd.example.com/ /; proxy_pass http://crowd:8095; }
Shouldn't the X-Real-IP be passed to Crowd ? Anybody had similar setup working or have an idea what I could try ?
Thank you
HTTP Status 403 - Client with address "172.18.0.5" is forbidden from making requests to the application
HTTP Status 403 - Client with address "172.18.0.5" is forbidden from making requests to the application
Hi RVal,
Crowd will use the X-Forwarded-For header as the source ip for the validating the request, but the proxy IP needs to be added to the Trusted Proxy Servers list in Crowd. Please see https://confluence.atlassian.com/crowd/configuring-trusted-proxy-servers-158107219.html for more details.
Thank you for your help. Adding my proxy IP to Trusted Proxy Servers made Crowd to use X-Forwarded-For header instead of my proxy IP as a remote client IP. Thanks a lot.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.