diff options
| author | Vishvananda Ishaya <vishvananda@gmail.com> | 2010-12-22 23:59:14 +0000 |
|---|---|---|
| committer | Tarmac <> | 2010-12-22 23:59:14 +0000 |
| commit | a49bca309734415cc8fb0d2701c306d02388a0f9 (patch) | |
| tree | 702826cbd45a22599b3bacbbb7371146b25caa5b /nova/api | |
| parent | 5f3f5acbddd66dfb3e8203724ed0ff9d0be3d5ae (diff) | |
| parent | 440978ce046a73acede887117e9812f1a6a026fa (diff) | |
Adds a flag to use the X-Forwarded-For header to find the ip of the remote server. This is needed when you have multiple api servers with a load balancing proxy in front. It is a flag that defaults to False because if you don't have a sanitizing proxy in front, users could masquerade as other ips by passing in the header manually.
Diffstat (limited to 'nova/api')
| -rw-r--r-- | nova/api/ec2/__init__.py | 8 | ||||
| -rw-r--r-- | nova/api/ec2/metadatarequesthandler.py | 11 |
2 files changed, 16 insertions, 3 deletions
diff --git a/nova/api/ec2/__init__.py b/nova/api/ec2/__init__.py index d1e2596c3..51d33bcc6 100644 --- a/nova/api/ec2/__init__.py +++ b/nova/api/ec2/__init__.py @@ -37,6 +37,9 @@ from nova.auth import manager FLAGS = flags.FLAGS +flags.DEFINE_boolean('use_forwarded_for', False, + 'Treat X-Forwarded-For as the canonical remote address. ' + 'Only enable this if you have a sanitizing proxy.') flags.DEFINE_boolean('use_lockout', False, 'Whether or not to use lockout middleware.') flags.DEFINE_integer('lockout_attempts', 5, @@ -144,9 +147,12 @@ class Authenticate(wsgi.Middleware): raise webob.exc.HTTPForbidden() # Authenticated! + remote_address = req.remote_addr + if FLAGS.use_forwarded_for: + remote_address = req.headers.get('X-Forwarded-For', remote_address) ctxt = context.RequestContext(user=user, project=project, - remote_address=req.remote_addr) + remote_address=remote_address) req.environ['ec2.context'] = ctxt return self.application diff --git a/nova/api/ec2/metadatarequesthandler.py b/nova/api/ec2/metadatarequesthandler.py index 0e9e686ff..f832863a9 100644 --- a/nova/api/ec2/metadatarequesthandler.py +++ b/nova/api/ec2/metadatarequesthandler.py @@ -23,9 +23,13 @@ import logging import webob.dec import webob.exc +from nova import flags from nova.api.ec2 import cloud +FLAGS = flags.FLAGS + + class MetadataRequestHandler(object): """Serve metadata from the EC2 API.""" @@ -63,10 +67,13 @@ class MetadataRequestHandler(object): @webob.dec.wsgify def __call__(self, req): cc = cloud.CloudController() - meta_data = cc.get_metadata(req.remote_addr) + remote_address = req.remote_addr + if FLAGS.use_forwarded_for: + remote_address = req.headers.get('X-Forwarded-For', remote_address) + meta_data = cc.get_metadata(remote_address) if meta_data is None: logging.error(_('Failed to get metadata for ip: %s') % - req.remote_addr) + remote_address) raise webob.exc.HTTPNotFound() data = self.lookup(req.path_info, meta_data) if data is None: |