Adds a flag to use the X-Forwarded-For header to find the ip of the remote server. This is needed when you have multiple api servers with a load balancing proxy in front. It is a flag that defaults to False because if you don't have a sanitizing proxy in front, users could masquerade as other ips by passing in the header manually.

2010-12-22 23:59:14 +00:00
parent 5f3f5acbdd 440978ce04
commit a49bca3097
2 changed files with 16 additions and 3 deletions
--- a/nova/api/ec2/init.py
+++ b/nova/api/ec2/init.py
@@ -37,6 +37,9 @@ from nova.auth import manager


 FLAGS = flags.FLAGS
+flags.DEFINE_boolean('use_forwarded_for', False,
+                     'Treat X-Forwarded-For as the canonical remote address. '
+                     'Only enable this if you have a sanitizing proxy.')
 flags.DEFINE_boolean('use_lockout', False,
                     'Whether or not to use lockout middleware.')
 flags.DEFINE_integer('lockout_attempts', 5,
@@ -144,9 +147,12 @@ class Authenticate(wsgi.Middleware):
            raise webob.exc.HTTPForbidden()

        # Authenticated!
+        remote_address = req.remote_addr
+        if FLAGS.use_forwarded_for:
+            remote_address = req.headers.get('X-Forwarded-For', remote_address)
        ctxt = context.RequestContext(user=user,
                                      project=project,
-                                      remote_address=req.remote_addr)
+                                      remote_address=remote_address)
        req.environ['ec2.context'] = ctxt
        return self.application

--- a/nova/api/ec2/metadatarequesthandler.py
+++ b/nova/api/ec2/metadatarequesthandler.py
@@ -23,9 +23,13 @@ import logging
 import webob.dec
 import webob.exc

+from nova import flags
 from nova.api.ec2 import cloud


+FLAGS = flags.FLAGS
+
+
 class MetadataRequestHandler(object):
    """Serve metadata from the EC2 API."""

@@ -63,10 +67,13 @@ class MetadataRequestHandler(object):
    @webob.dec.wsgify
    def __call__(self, req):
        cc = cloud.CloudController()
-        meta_data = cc.get_metadata(req.remote_addr)
+        remote_address = req.remote_addr
+        if FLAGS.use_forwarded_for:
+            remote_address = req.headers.get('X-Forwarded-For', remote_address)
+        meta_data = cc.get_metadata(remote_address)
        if meta_data is None:
            logging.error(_('Failed to get metadata for ip: %s') %
-                          req.remote_addr)
+                          remote_address)
            raise webob.exc.HTTPNotFound()
        data = self.lookup(req.path_info, meta_data)
        if data is None: