Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Incorrect IP address used behind reverse proxy

Daniel Hilgarth
Daniel Hilgarth May 9, 2019

I am using a dockerized version of Crowd which is sitting behind a Traefik reverse proxy.

Everything works fine except for one thing: I have a third party application that uses Crowd for identity management and I have added it as an application and added the external IP address of the third party application in the Remote Addresses tab.

However, Crowd blocks the authentication requests with this message:

 

>  INFO [crowd.manager.validation.ClientValidationManagerImpl] Client with address '172.25.0.4' is forbidden from making requests to application 'x x x'

172.25.0.4 is the IP address of the reverse proxy in the internal Docker network.

What changes do I have to make so that Crowd is able to know the original IP address? Is there a header that Traefik should set or something similar?

 

Answer
Watch
Like Be the first to like this
610 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 10, 2019

Hi Daniel,

Sounds like it's missing the X-Forwarded-For header. In nginx, we'd set it like this:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Traefik is new territory for me however! I see mention about Forwarded headers needing to have a trusted IP but am not completely sure that's what needs to happen in this situation. That's the path I'm headed down learning more about - just wanted to mention this in advance in case you might already have some knowledge in that area. If not, I will hopefully have some more info for you soon.

Cheers,
Daniel

View More Comments
Daniel Hilgarth
Daniel Hilgarth May 11, 2019

Hi Daniel,

thanks for the suggestions. tcpdump showed that the headers were present and correct. What was missing was to actually add traefik as a trusted proxy to Crowd :)

Cheers,

Daniel

Like
Reply

Suggest an answer

Log in or Sign up to answer
Crowd
Crowd
TAGS
AUG Leaders

Atlassian Community Events

    See all events