Documentation for Crowd 2.8. Documentation for earlier versions of Crowd is available too.

Skip to end of metadata
Go to start of metadata

If you are running applications behind one or more proxy servers then you may find it useful to configure Crowd to trust the proxies' addresses. When a proxy server forwards an HTTP request, Crowd will recognise the request as coming from the request's originator, not from the proxy server. This is particularly useful if you want single sign-on amongst several applications running behind different proxy servers.

Configuring a trusted proxy server means that Crowd will iterate through client IP address and IP addresses in the X-Forwarded-For header from right to left and pick the first IP address that is not a trusted proxy. The address is then used as the client's IP address.

To configure Crowd to trust a proxy server,

  1. Log in to the Crowd Administration Console.
  2. Click the 'Administration' tab in the top navigation bar.
  3. Click 'Trusted Proxy Servers' in the left-hand menu.
  4. The 'Trusted Proxy Servers' screen appears. Type the IP address or the host name of the proxy server. Possible values are:
    • A full IP address, e.g. 192.168.10.12 (IPv4) or 2001:db8:85a3:0:0:8a2e:370:7334 (IPv6).
    • An IPv4 subnet using wildcard notation, e.g. 192.168.*.*.
    • An IPv4 or IPv6 subnet, using CIDR notation, e.g. 192.168.10.1/16 (IPv4) or 2001:db8:85a3::/64 (IPv6). For more information, see the introduction to CIDR notation on Wikipedia and RFC 4632.
    • A host name, e.g. proxy.example.org. All IP addresses bound to the given host name will be trusted.
      (info) Using host names will cause DNS requests to be sent, which might affect Crowd performance.
  5. Click the 'Add' button.

Screenshot: Trusted Proxy Servers



RELATED TOPICS

Crowd Documentation

  • No labels

8 Comments

  1. We are able to set a host name in the address field, and every thing seems to be ok.

    Are we missing something or is it an undocumented feature?

    1. Unfortunately host names are not yet supported. They can be added, but they will be silently ignored. We are planning on adding support for host names in 'Trusted Proxy Servers' screen in a future Crowd release.

      If the proxy server address has been added to application's remote addresses, and single sign-on is not used, everything else should still work. In the other hand, having a proxy server address in application's remote addresses means that connections coming through the proxy server are allowed no matter where they originated from.

  2. where to set this in a config file?

    1. btw: Re: Configuring Trusted Proxy Servers answers it: nowhere, it is stored in database - stupidly

  3. Anonymous

    Under the Administration tab Select Trusted Proxy Servers, provide the address in the form of IP address or host name and click ADD button

  4. Anonymous

    Potentially a lethal setting!

    Risk of complete lockout if you as a first entry set a value that doesn't match the proxy you're coming from. Crowd will immediately start using the value you enter and block further access from anything that doesn't match, making it impossible to remove the value as you immediately are thrown out from Crowd and can't log in again...

    Crowd should of course have some sort of validation of the IP and warn (even forbid?) that the entered IP doesn't match the proxy you come from. Crowd could on that settings page actually always show from which proxy IP you are accessing from as a guide for the user to know what value to enter.

    If you by accident locked yourself out you can do the following (at least for Crowd 2.5.2)

    1. Get pgAdmin from http://www.pgadmin.org/ (it's a postgresql database gui viewer)
    2. Add your postgresql server (where you have the Crowd data) as a server in pgAdmin
    3. Click/expand pgAdmin's tree structure: Servers->...->Databases->Crowd_database->Schemas->public->Tables
    4. You should now see a table called "cwd_property". Right-click on that, View data->View top 100 rows.
    5. Scroll down until you see a row with "trusted.proxy.servers" and the failing IP address that you don't want.
    6. Shut down Crowd.
    7. Press "Refresh"/F5 in the pgAdmin table window to get a fresh copy of the properties table (if Crowd happened to change anything during its shutdown.
    8. Doubleclick on the IP address field and set it to *. *. *. * to permit any connection (or, I've seen, to two single-quotes without space between: '' to signify an empty string)
    9. Press Save in the pgAdmin table window to commit your change to the database.
    10. Start up Crowd again - now it should be possible to login again.
    11. Verify that your setting in the database shows in the Trusted Proxy settings, delete and enter something better...

    Been there, done that.. (sad)

    1. Thank you so much. I did exactly that and have been spending the last 3 hours trying to figure out how to fix it.

  5. It seems that if Bamboo 5.9.1 is hosted on a server with Apache mod_proxy in front of it, you __need__ to add both 127.0.0.1 and 0:0:0:0:0:0:0:1 to the Trusted Proxy Servers list in Crowd as otherwise you will see a token mismatch error logged in Crowd's DEBUG level logs when attempting to using single sign on to log into Bamboo.

     

    I only chanced upon this realisation due a a post on a Drupal.org discussing token mismatch issue in crowd: link

     

    Also, be very careful about making changes to Trusted Proxy Servers as the change is immediate and you can very well lock yourself and every other user out of all applications that use crowd for authentication.