Hello
I setup PrivacyIdea behind few reverse-proxies… so I had to use OverrideAuthorizationClient to get the real originating IP.
I used a configuration: 172.30.0.11/32, 172.30.0.1/32
My request come from 161.97.81.166 and goes through 172.30.0.1 then 172.30.0.11
But PrivacyIdea believe my IP is 172.30.0.1
I tried other configurations, changing order, but not luck…
The log show:
[privacyidea.lib.utils:637] Determining the mapped IP from [IPAddress(‘172.30.0.11’), IPAddress(‘172.30.0.1’), IPAddress(‘161.97.81.166’)] given the proxy settings ‘172.30.0.11/32, 172.30.0.1/32’ …
[privacyidea.lib.utils:641] Proxy path: (IPNetwork(‘172.30.0.1/32’), IPNetwork(‘0.0.0.0/0’))
[privacyidea.lib.utils:654] … ignored because IPAddress(‘172.30.0.11’) is not in subnet IPNetwork(‘172.30.0.1/32’)
[privacyidea.lib.utils:641] Proxy path: (IPNetwork(‘172.30.0.11/32’), IPNetwork(‘0.0.0.0/0’))
[privacyidea.lib.utils:662] … setting new candidate for client IP: IPAddress(‘172.30.0.1’)
[privacyidea.lib.utils:665] Determined mapped client IP: IPAddress(‘172.30.0.1’)
Kind of same thing happens if I switch both proxy addresses.
I looked at the source code to find some help; read the comments… but no chance.
If it trust the comment, my configuration should find my source address!
So… what didn’t I understand ?
BTW: it seemed to me a really really complex process. Why not just filter the source with the proxies and stop at the first address that is not a proxy ? OK… MAYBE it’s safer to have some kind of “chain”… but isn’t is too much complexity for a really small security enhancement ?