Support X-Forwarded-For and X-Real-IP in AccessControl #1665
getroot
announced in
Announcement
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
OvenMediaEngine often runs behind a proxy server. In this case, AdmissionWebhooks and SignedPolicy have the disadvantage of not being able to identify real users because they only check the IP of the client that actually accessed OME. Therefore, there has been a request for support for the X-Forwarded-For and X-Real-IP headers supported by Nginx for a long time.
Sorry for being so late. I finally added this feature.
In SignedPolicy, you can add
real_ipto the policy as follows.allow_ipis the IP address of the client that actually connected OME, just like before.If
real_ipis in the policy, OME searches for and checks the values in the following order.Therefore, to enhance security, it is best to set the IP of your proxy server in
allow_ipand the IP of the client you allow inreal_ip.In AdmissionWebhooks,
real_ipis added to the client object as follows.As with the SignedPolicy policy,
addressis the IP address of the client that actually connected to OME.real_ipis inserted as the value of the X-REAL-IP header or the first value of the X-FORWARDED-FOR header, or the IP address of the client that actually connected.You can enhance security by checking if the
addressis your proxy server and if thereal_ipis the IP of a client you have allowed.In the future, if needed, we also plan to support https://datatracker.ietf.org/doc/html/rfc7239 (I haven't found a use case yet, but if you do, please let me know.)
Any feedback is appreciated. Thanks.
Beta Was this translation helpful? Give feedback.
All reactions