[FEATURE REQUEST] Accommodate reverse-proxying for salt-api #63928
Labels
Feature
new functionality including changes to functionality and code refactors, etc.
needs-triage
Salt-API
Comments
nf-brentsaner
added
Feature
|
Don't forget |
7239, yep- good call! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(Note: below references
rest_cherrpy; I presume the same would be applicable forrest_tornadoand maybe?rest_wsgi.)Is your feature request related to a problem? Please describe.
Currently there is no way to define
api_aclif reverse-proxying, as all requests will appear to come from the proxy server itself.Describe the solution you'd like
A configuration directive should be provided for that can be used to assume the "real" client IP address, which would be passed by the reverse proxy. This is precisely what
X-Forwarded-ForandX-Forwarded-By(and, to a lesser extent,X-Forwarded-Proto) are for.Describe alternatives you've considered
Implementing this directly on the reverse proxy, which is a PITA because eauth login is performed via the body instead of headers or HTTP Basic Authentication.
(That reminds me, HTTP Basic Auth per RFC 9110 could be implemented by using the
realmspace as the eauth method. But that's not what this FR is about.)Additional context
N/A
Please Note
If this feature request would be considered a substantial change or addition, this should go through a SEP process here https://github.com/saltstack/salt-enhancement-proposals, instead of a feature request.
The text was updated successfully, but these errors were encountered: