our $sortkey = 1700;
use constant get_param_list => (
- {
- name => 'inbound_proxies',
- type => 't',
- default => '',
- checker => \&check_inbound_proxies
- },
-
{
name => 'proxy_url',
type => 't',
},
);
-sub check_inbound_proxies {
- my $inbound_proxies = shift;
-
- return "" if $inbound_proxies eq "*";
- my @proxies = split( /[\s,]+/, $inbound_proxies );
- foreach my $proxy (@proxies) {
- validate_ip($proxy) || return "$proxy is not a valid IPv4 or IPv6 address";
- }
- return "";
-}
-
1;
use strict;
use warnings;
+use Bugzilla::Logging;
use Bugzilla::Constants qw(bz_locations);
use Cwd qw(realpath);
use English qw(-no_match_vars $PROGRAM_NAME);
sub run_cereal_and_httpd {
my @httpd_args = @_;
- my $lc = Bugzilla::Install::Localconfig::read_localconfig();
- if ( ($lc->{inbound_proxies} // '') eq '*' && $lc->{urlbase} =~ /^https/) {
- push @httpd_args, '-DHTTPS';
- }
push @httpd_args, '-DNETCAT_LOGS';
my $signal_f = catch_signal("TERM", 0);
my $cereal_exit_f = run_cereal();
return assert_cereal()->then(
sub {
+ my $lc = Bugzilla::Install::Localconfig::read_localconfig();
+ if ( ($lc->{inbound_proxies} // '') eq '*' && $lc->{urlbase} =~ /^https/) {
+ push @httpd_args, '-DHTTPS';
+ }
+ elsif (not $lc->{urlbase} =~ /^https/) {
+ WARN("HTTPS urlbase but inbound_proxies is not '*'");
+ }
my $httpd_exit_f = run_httpd(@httpd_args);
return Future->wait_any($cereal_exit_f, $httpd_exit_f, $signal_f);
# might want to change this for upstream
use constant ENV_PREFIX => 'BMO_';
-use constant PARAM_OVERRIDE => qw( inbound_proxies shadowdb shadowdbhost shadowdbport shadowdbsock );
+use constant PARAM_OVERRIDE => qw( shadowdb shadowdbhost shadowdbport shadowdbsock );
sub _sensible_group {
return '' if ON_WINDOWS;
{
name => 'param_override',
default => {
- inbound_proxies => undef,
memcached_servers => undef,
memcached_namespace => undef,
shadowdb => undef,
name => 'ses_password',
default => '',
},
+ {
+ name => 'inbound_proxies',
+ default => _migrate_param( 'inbound_proxies', '' ),
+ },
);
# Returns the real remote address of the client,
sub remote_ip {
my $remote_ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1';
- my @proxies = split(/[\s,]+/, Bugzilla->get_param_with_override('inbound_proxies'));
+ my @proxies = split(/[\s,]+/, Bugzilla->localconfig->{inbound_proxies});
my @x_forwarded_for = split(/[\s,]+/, $ENV{HTTP_X_FORWARDED_FOR} // '');
return $remote_ip unless @x_forwarded_for;
[% END %]
[% param_descs = {
- inbound_proxies =>
- "When inbound traffic to $terms.Bugzilla goes through a proxy,"
- _ " $terms.Bugzilla thinks that the IP address of every single"
- _ " user is the IP address of the proxy. If you enter a comma-separated"
- _ " list of IPs in this parameter, then $terms.Bugzilla will trust any"
- _ " <code>X-Forwarded-For</code> header sent from those IPs,"
- _ " and use the value of that header as the end user's IP address."
- _ " If set to a *, $terms.Bugzilla will trust the first value in the "
- _ " X-Forwarded-For header.",
proxy_url =>
"$terms.Bugzilla may have to access the web to get notifications about"
For the "Difference Between Two Patches" feature to work, we need to know
what directory the "diff" bin is in. (You only need to set this if you
are using that feature of the Patch Viewer.)
+END
+ localconfig_inbound_proxies => <<'END',
+This is a list of IP addresses that we expect proxies to come from.
+This can be '*' if only the load balancer can connect.
+Setting this to '*' means that we can trust the X-Forwarded-For header.
END
localconfig_index_html => <<'END',
Most web servers will allow you to use index.cgi as a directory
projects / thirdparty / bugzilla.git / commitdiff
