Can't understand OverrideAuthorizationClient

Hello

I setup PrivacyIdea behind few reverse-proxies… so I had to use OverrideAuthorizationClient to get the real originating IP.

I used a configuration: 172.30.0.11/32, 172.30.0.1/32
My request come from 161.97.81.166 and goes through 172.30.0.1 then 172.30.0.11
But PrivacyIdea believe my IP is 172.30.0.1

I tried other configurations, changing order, but not luck…

The log show:
[privacyidea.lib.utils:637] Determining the mapped IP from [IPAddress(‘172.30.0.11’), IPAddress(‘172.30.0.1’), IPAddress(‘161.97.81.166’)] given the proxy settings ‘172.30.0.11/32, 172.30.0.1/32’ …
[privacyidea.lib.utils:641] Proxy path: (IPNetwork(‘172.30.0.1/32’), IPNetwork(‘0.0.0.0/0’))
[privacyidea.lib.utils:654] … ignored because IPAddress(‘172.30.0.11’) is not in subnet IPNetwork(‘172.30.0.1/32’)
[privacyidea.lib.utils:641] Proxy path: (IPNetwork(‘172.30.0.11/32’), IPNetwork(‘0.0.0.0/0’))
[privacyidea.lib.utils:662] … setting new candidate for client IP: IPAddress(‘172.30.0.1’)
[privacyidea.lib.utils:665] Determined mapped client IP: IPAddress(‘172.30.0.1’)

Kind of same thing happens if I switch both proxy addresses.

I looked at the source code to find some help; read the comments… but no chance.
If it trust the comment, my configuration should find my source address!

So… what didn’t I understand ?

BTW: it seemed to me a really really complex process. Why not just filter the source with the proxies and stop at the first address that is not a proxy ? OK… MAYBE it’s safer to have some kind of “chain”… but isn’t is too much complexity for a really small security enhancement ?

OK, I read the test of the lib… and even if the text in “Override Authorization Clients” suggest to have a coma separated list, it will accept “>” for chains…

So I entered “172.30.0.11 > 172.30.0.1 > 0.0.0.0/0” and everything is fine now :slight_smile:
Maybe I missed something in the documentation :frowning:

Cool, great we have tests!

Which part of the documentation did you read? It is all here:


Maybe we need to add a link from the place you read, to this section.
This will help to improve the docs.