[FEATURE REQUEST] Accommodate reverse-proxying for salt-api #63928
Labels
Feature
new functionality including changes to functionality and code refactors, etc.
needs-triage
Salt-API
(Note: below references
rest_cherrpy
; I presume the same would be applicable forrest_tornado
and maybe?rest_wsgi
.)Is your feature request related to a problem? Please describe.
Currently there is no way to define
api_acl
if reverse-proxying, as all requests will appear to come from the proxy server itself.Describe the solution you'd like
A configuration directive should be provided for that can be used to assume the "real" client IP address, which would be passed by the reverse proxy. This is precisely what
X-Forwarded-For
andX-Forwarded-By
(and, to a lesser extent,X-Forwarded-Proto
) are for.Describe alternatives you've considered
Implementing this directly on the reverse proxy, which is a PITA because eauth login is performed via the body instead of headers or HTTP Basic Authentication.
(That reminds me, HTTP Basic Auth per RFC 9110 could be implemented by using the
realm
space as the eauth method. But that's not what this FR is about.)Additional context
N/A
Please Note
If this feature request would be considered a substantial change or addition, this should go through a SEP process here https://github.com/saltstack/salt-enhancement-proposals, instead of a feature request.
The text was updated successfully, but these errors were encountered: