If you are running applications behind one or more proxy servers then you may find it useful to configure Crowd to trust the proxies' addresses. When a proxy server forwards an HTTP request, Crowd will recognise the request as coming from the request's originator, not from the proxy server. This is particularly useful if you want single sign-on amongst several applications running behind different proxy servers.

Configuring a trusted proxy server means that Crowd will iterate through client IP address and IP addresses in the X-Forwarded-For header from right to left and pick the first IP address that is not a trusted proxy. The address is then used as the client's IP address.

To configure Crowd to trust a proxy server,

  1. Log in to the Crowd Administration Console.
  2. Click the 'Administration' tab in the top navigation bar.
  3. Click 'Trusted Proxy Servers' in the left-hand menu.
  4. The 'Trusted Proxy Servers' screen appears. Type the IP address or the host name of the proxy server. Possible values are:
    • A full IP address, e.g. (IPv4) or 2001:db8:85a3:0:0:8a2e:370:7334 (IPv6).
    • An IPv4 subnet using wildcard notation, e.g. 192.168.*.*.
    • An IPv4 or IPv6 subnet, using CIDR notation, e.g. (IPv4) or 2001:db8:85a3::/64 (IPv6). For more information, see the introduction to CIDR notation on Wikipedia and RFC 4632.
    • A host name, e.g. proxy.example.org. All IP addresses bound to the given host name will be trusted.
      (info) Using host names will cause DNS requests to be sent, which might affect Crowd performance.
  5. Click the 'Add' button.

Screenshot: Trusted Proxy Servers


Crowd Documentation

  • No labels