Can't understand OverrideAuthorizationClient


I setup PrivacyIdea behind few reverse-proxies… so I had to use OverrideAuthorizationClient to get the real originating IP.

I used a configuration:,
My request come from and goes through then
But PrivacyIdea believe my IP is

I tried other configurations, changing order, but not luck…

The log show:
[privacyidea.lib.utils:637] Determining the mapped IP from [IPAddress(‘’), IPAddress(‘’), IPAddress(‘’)] given the proxy settings ‘,’ …
[privacyidea.lib.utils:641] Proxy path: (IPNetwork(‘’), IPNetwork(‘’))
[privacyidea.lib.utils:654] … ignored because IPAddress(‘’) is not in subnet IPNetwork(‘’)
[privacyidea.lib.utils:641] Proxy path: (IPNetwork(‘’), IPNetwork(‘’))
[privacyidea.lib.utils:662] … setting new candidate for client IP: IPAddress(‘’)
[privacyidea.lib.utils:665] Determined mapped client IP: IPAddress(‘’)

Kind of same thing happens if I switch both proxy addresses.

I looked at the source code to find some help; read the comments… but no chance.
If it trust the comment, my configuration should find my source address!

So… what didn’t I understand ?

BTW: it seemed to me a really really complex process. Why not just filter the source with the proxies and stop at the first address that is not a proxy ? OK… MAYBE it’s safer to have some kind of “chain”… but isn’t is too much complexity for a really small security enhancement ?

OK, I read the test of the lib… and even if the text in “Override Authorization Clients” suggest to have a coma separated list, it will accept “>” for chains…

So I entered “ > >” and everything is fine now :slight_smile:
Maybe I missed something in the documentation :frowning:

Cool, great we have tests!

Which part of the documentation did you read? It is all here:

Maybe we need to add a link from the place you read, to this section.
This will help to improve the docs.