如何配置我的 Web 服务器以使用 PluggableAuthService 的域身份验证插件?
我正在尝试使用域身份验证插件根据网站访问者的 IP 地址为其分配成员资格角色。
我可以正常配置插件,但我想到所有请求都将来自本地主机,而不是“真实”IP 地址。
在本例中,我使用 NGINX,因此我尝试通过 proxy_set_header 将 X-Real-IP 设置为 $remote_addr (例如 http: //wiki.nginx.org/HttpProxyModule),但据我所知,这只是使 IP 地址在标头中可用。
如何使从 NGINX 发送到 Plone 的请求看起来像是来自远程 IP 地址?
我正在使用 NGINX,但我也愿意接受也适用于 Apache 的答案。
I'm trying to use the Domain Auth Plugin to assign the Membership role to site visitors based on their IP address.
I can configure the plugin OK, but it occurs to me all the requests will be coming from localhost and not the "real" IP address.
In this case I'm using NGINX, so I tried setting X-Real-IP to $remote_addr via proxy_set_header (e.g. http://wiki.nginx.org/HttpProxyModule), but as far as I can tell that just makes the IP address available in the header.
How do I make the requests sent from NGINX to Plone appear to be originating from the remote IP address?
I'm using NGINX but I'm open to answers that apply to Apache too.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
域身份验证插件使用
request.getClientAddr()方法来确定客户端的 IP 地址,而客户端的 IP 地址又使用REMOTE_ADDR变量和X- FORWARDED-FOR标头。通常,您不能依赖 X-FORWARDED-FOR 标头,因为几乎任何人都可以设置它。但是您可以将 Zope 配置为信任来自一组给定受信任代理的标头。使用可信代理列表,
REMOTE_ADDRIP 地址将替换为X-FORWARDED-FOR标头中给出的下一个地址,直到您用完可信任的地址。最后找到的 IP 地址就是新的客户端地址。这允许您链接一组代理,并且仍然能够相信您获得了正确的客户端地址来作为您的角色的基础。要将 Zope 配置为信任代理的
X-FORWARDED-FOR标头,请在zope.conf文件中设置trusted-proxy配置参数。如果您的 nginx 服务器在同一主机上运行,只需将其设置为 localhost:您可以通过添加多个条目来指定多个名称:
trusted-proxy同时采用 IP 地址和主机名。The Domain Auth Plugin uses the
request.getClientAddr()method to determine the IP address of the client, which in turn uses both theREMOTE_ADDRvariable and theX-FORWARDED-FORheader.Normally, you cannot rely on the
X-FORWARDED-FORheader, seeing as just about anyone could have set it. But you can configure Zope to trust that header from a given set of trusted proxies. Using the list of trusted proxies, theREMOTE_ADDRIP address will be replaced with the next address given in theX-FORWARDED-FORheader, until you run out of addresses to trust. The last IP address found is then the new client address. This allows you to chain a set of proxies and still be able to trust you get the correct client address to base your roles on.To configure Zope to trust a proxy's
X-FORWARDED-FORheader, set thetrusted-proxyconfiguration parameter in thezope.conffile. If your nginx server runs on the same host, just set it to localhost:You specify more than one name by adding multiple entries:
trusted-proxytakes both ip addresses and hostnames.许多反向代理将 X-Forwarded-For 标头设置为原始 IP。如果尚未更新,则应更新域身份验证插件来处理此问题。
Many reverse proxies set an X-Forwarded-For header to the original IP. The domain auth plugin should be updated to handle this if it doesn't already.