[FEATURE REQUEST] Accommodate reverse-proxying for salt-api #67484
nf-brentsaner
started this conversation in
Feature Requests
Replies: 2 comments
-
|
Don't forget |
Beta Was this translation helpful? Give feedback.
0 replies
-
7239, yep- good call! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
(Note: below references
rest_cherrpy; I presume the same would be applicable forrest_tornadoand maybe?rest_wsgi.)Is your feature request related to a problem? Please describe.
Currently there is no way to define
api_aclif reverse-proxying, as all requests will appear to come from the proxy server itself.Describe the solution you'd like
A configuration directive should be provided for that can be used to assume the "real" client IP address, which would be passed by the reverse proxy. This is precisely what
X-Forwarded-ForandX-Forwarded-By(and, to a lesser extent,X-Forwarded-Proto) are for.Describe alternatives you've considered
Implementing this directly on the reverse proxy, which is a PITA because eauth login is performed via the body instead of headers or HTTP Basic Authentication.
(That reminds me, HTTP Basic Auth per RFC 9110 could be implemented by using the
realmspace as the eauth method. But that's not what this FR is about.)Additional context
N/A
Please Note
If this feature request would be considered a substantial change or addition, this should go through a SEP process here https://github.com/saltstack/salt-enhancement-proposals, instead of a feature request.
Beta Was this translation helpful? Give feedback.
All reactions