Configuring Deskpro
To make Deskpro work with proxy servers you must specify the IP addresses of your proxy servers so Deskpro knows that the request is being passed through a proxy.
Edit config/advanced/config.env.php and edit the trust_proxy_data value. You must specify an array containing IP addresses which are trusted as proxies.
You can specify simple IP addresess, or IP addresses in CIDR notation, or you can also specify the path to an external PHP file that returns an array of IP addresses.
When any HTTP request comes in to Deskpro, the system will run these rules against the requester IP address. If one matches, then the "trust_proxy_data" mode is enabled. Otherwise, Deskpro will treat it like a normal web request. This whitelisting is necessary to make sure a malicious user doesn't send custom HTTP headers to try and trick the software.
Trusting ALL hosts
If your back-end web servers are private (not accessible from the general outside internet), then you might want to trust proxy headers from any host. This means you would not need to keep a list of proxy IP addresses updated as you add or remove servers.
You can use the value 0.0.0.0/0 to whitelist ALL hosts (this is CIDR notation which covers the entire IPv4 address space).
Configuring your proxy server
For Deskpro to function properly, your proxy server must be sending proper headers with each request:
- X-Forwarded-For: The IP address of the user
- X-Forwarded-Host: The real hostname the user requested
- X-Forwarded-Port: The real port the user requested (usually 80 or 443 for SSL)
- X-Forwarded-Proto: The protocol (http or https) the user request.
When a request comes in and Deskpro detects it is a proxy server (based on your list of IPs in trust_proxy_data described above), Deskpro will use the values in these headers as the request parameters. For example, if the system wants to log the IP address of a user, it will know that the real IP address is the value held in X-Forwarded-For instead of the IP address of your proxy server.
Add a comment
Please log in or register to submit a comment.