lemonldap-ng/doc/pages/documentation/current/behindproxyminihowto.html

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:behindproxyminihowto</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,behindproxyminihowto"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="behindproxyminihowto.html"/>
<link rel="contents" href="behindproxyminihowto.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:behindproxyminihowto","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">

<h1 class="sectionedit1" id="running_lemonldapng_behind_a_reverse_proxy">Running LemonLDAP::NG behind a reverse proxy</h1>
<div class="level1">

<p>
Your network infrastructure might require that LemonLDAP::NG components (Portal, Manager, Handler) run behind a reverse proxy.
</p>

<p>
<img src="documentation/reverseproxy.png" class="mediacenter" alt="" />
</p>

<p>
In this case, LemonLDAP::NG components will store the ip address of the connection between the reverse proxy and the webserver in the session, and in logs. This prevents features such as session restrictions and rules based on `ipAddr` from working as expected.
</p>

<p>
A Content Delivery Network (CDN) would also have the same issue.
</p>

<p>
In order to make LemonLDAP::NG behave correctly behind a proxy, you need to forward the original <abbr title="Internet Protocol">IP</abbr> address all the way to LemonLDAP::NG.
</p>

<p>
In order to do this you have several options.
</p>

</div>
<!-- EDIT1 SECTION "Running LemonLDAP::NG behind a reverse proxy" [1-751] -->
<h2 class="sectionedit2" id="http_header">HTTP Header</h2>
<div class="level2">

<p>
This generic method is the most likely to work in your particular environment.
</p>

<p>
First, configure your reverse proxy (or CDN) to send the origin <abbr title="Internet Protocol">IP</abbr> address in a HTTP header. Most reverse proxies do this by default, generally in a header named <code>X-Forwarded-For</code> or <code>X-Real-<abbr title="Internet Protocol">IP</abbr></code>.
</p>

<p>
Once the header is transmitted to LemonLDAP::NG&#039;s web server, you may uncomment the relevant parts of the configuration file.
</p>
<ul>
<li class="level1"><div class="li"> For Nginx:</div>
</li>
</ul>
<pre class="code file nginx">    set_real_ip_from  127.0.0.1;
    real_ip_header    X-Forwarded-For;</pre>
<div class="notetip">Make sure Nginx was compiled with the <a href="http://nginx.org/en/docs/http/ngx_http_realip_module.html" class="urlextern" title="http://nginx.org/en/docs/http/ngx_http_realip_module.html"  rel="nofollow">http_real_ip module</a>
</div><ul>
<li class="level1"><div class="li"> For Apache:</div>
</li>
</ul>
<pre class="code file apache">     RemoteIPHeader X-Forwarded-For
     RemoteIPInternalProxy 127.0.0.1</pre>
<div class="notetip">Make sure the <a href="https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html" class="urlextern" title="https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html"  rel="nofollow">mod_remoteip module</a> is enabled in your Apache installation
</div><div class="notewarning">Both modules need you to specify the address of your reverse proxy. Using the <code>http_real_ip</code> or <code>mod_remoteip</code> module might let an attacker impersonate any <abbr title="Internet Protocol">IP</abbr> address they want by setting the <code>X-Forwarded-For</code> header themselves. Please read the relevant module documentation carefully.
</div>
</div>
<!-- EDIT2 SECTION "HTTP Header" [752-2007] -->
<h2 class="sectionedit3" id="proxy_protocol">PROXY Protocol</h2>
<div class="level2">

<p>
Alternatively, if your proxy supports the PROXY protocol (Nginx, HAProxy, Amazon ELB), you may use it to carry over the information almost transparently.
</p>

<p>
Refer to your reverse proxy&#039;s documentation to find out how to enable the PROXY protocol on the reverse proxy side.
</p>

<p>
Then, on the LemonLDAP::NG side, in the NGINX configuration of your Portal/Manager/Handler:
</p>
<pre class="code file nginx"> listen 80   proxy_protocol;
# or
# listen 443 ssl proxy_protocol;</pre>

</div>
<!-- EDIT3 SECTION "PROXY Protocol" [2008-] --></div>
</body>
</html>