This documentation relates to Crowd 2.4.
If you are using an earlier version, please view the previous versions of the Crowd documentation and select the relevant version.
Skip to end of metadata
Comment: Corrected links that should have been relative instead of absolute.
Go to start of metadata

If you are running applications behind one or more proxy servers then you may find it useful to configure Crowd to trust the proxies' addresses. When a proxy server forwards an HTTP request, Crowd will recognise the request as coming from the request's originator, not from the proxy server. This is particularly useful if you want single sign-on amongst several applications running behind different proxy servers.

Configuring a trusted proxy server means that Crowd will iterate through client IP address and IP addresses in the X-Forwarded-For header from right to left and pick the first IP address that is not a trusted proxy. The address is then used as the client's IP address.

To configure Crowd to trust a proxy server,

  1. Log in to the Crowd Administration Console.
  2. Click the 'Administration' tab in the top navigation bar.
  3. Click 'Trusted Proxy Servers' in the left-hand menu.
  4. The 'Trusted Proxy Servers' screen appears. Type the IP address or the host name of the proxy server. Possible values are:
    • A full IP address, e.g. 192.168.10.12 (IPv4) or 2001:db8:85a3:0:0:8a2e:370:7334 (IPv6).
    • An IPv4 subnet using wildcard notation, e.g. 192.168.*.*.
    • An IPv4 or IPv6 subnet, using CIDR notation, e.g. 192.168.10.1/16 (IPv4) or 2001:db8:85a3::/64 (IPv6). For more information, see the introduction to CIDR notation on Wikipedia and RFC 4632.
    • A host name, e.g. proxy.example.org. All IP addresses bound to the given host name will be trusted.
      (info) Using host names will cause DNS requests to be sent, which might affect Crowd performance.
  5. Click the 'Add' button.

Screenshot: Trusted Proxy Servers



RELATED TOPICS

Crowd Documentation

Labels:
None
Edit Labels

4 Comments

Hide/Show Comments

  1. Nov 02, 2010

    Sebastien Erard

    We are able to set a host name in the address field, and every thing seems to be ok.

    Are we missing something or is it an undocumented feature?

    1. Apr 19, 2011

      Olli Nevalainen [Atlassian]

      Unfortunately host names are not yet supported. They can be added, but they will be silently ignored. We are planning on adding support for host names in 'Trusted Proxy Servers' screen in a future Crowd release.

      If the proxy server address has been added to application's remote addresses, and single sign-on is not used, everything else should still work. In the other hand, having a proxy server address in application's remote addresses means that connections coming through the proxy server are allowed no matter where they originated from.

  2. Feb 04, 2011

    Marcel Silberhorn

    where to set this in a config file?

  3. Dec 14, 2011

    Anonymous

    Under the Administration tab Select Trusted Proxy Servers, provide the address in the form of IP address or host name and click ADD button