diff options
-rw-r--r-- | Bugzilla/Config/Advanced.pm | 18 | ||||
-rw-r--r-- | Bugzilla/DaemonControl.pm | 12 | ||||
-rw-r--r-- | Bugzilla/Install/Localconfig.pm | 7 | ||||
-rw-r--r-- | Bugzilla/Util.pm | 2 | ||||
-rw-r--r-- | template/en/default/admin/params/advanced.html.tmpl | 9 | ||||
-rw-r--r-- | template/en/default/setup/strings.txt.pl | 5 |
6 files changed, 19 insertions, 34 deletions
diff --git a/Bugzilla/Config/Advanced.pm b/Bugzilla/Config/Advanced.pm index e2c00f910..2eec11dbe 100644 --- a/Bugzilla/Config/Advanced.pm +++ b/Bugzilla/Config/Advanced.pm @@ -18,13 +18,6 @@ our $sortkey = 1700; use constant get_param_list => ( { - name => 'inbound_proxies', - type => 't', - default => '', - checker => \&check_inbound_proxies - }, - - { name => 'proxy_url', type => 't', default => '' @@ -82,15 +75,4 @@ use constant get_param_list => ( }, ); -sub check_inbound_proxies { - my $inbound_proxies = shift; - - return "" if $inbound_proxies eq "*"; - my @proxies = split( /[\s,]+/, $inbound_proxies ); - foreach my $proxy (@proxies) { - validate_ip($proxy) || return "$proxy is not a valid IPv4 or IPv6 address"; - } - return ""; -} - 1; diff --git a/Bugzilla/DaemonControl.pm b/Bugzilla/DaemonControl.pm index 97ecb84e0..1de8350c1 100644 --- a/Bugzilla/DaemonControl.pm +++ b/Bugzilla/DaemonControl.pm @@ -10,6 +10,7 @@ use 5.10.1; use strict; use warnings; +use Bugzilla::Logging; use Bugzilla::Constants qw(bz_locations); use Cwd qw(realpath); use English qw(-no_match_vars $PROGRAM_NAME); @@ -131,16 +132,19 @@ sub run_httpd { sub run_cereal_and_httpd { my @httpd_args = @_; - my $lc = Bugzilla::Install::Localconfig::read_localconfig(); - if ( ($lc->{inbound_proxies} // '') eq '*' && $lc->{urlbase} =~ /^https/) { - push @httpd_args, '-DHTTPS'; - } push @httpd_args, '-DNETCAT_LOGS'; my $signal_f = catch_signal("TERM", 0); my $cereal_exit_f = run_cereal(); return assert_cereal()->then( sub { + my $lc = Bugzilla::Install::Localconfig::read_localconfig(); + if ( ($lc->{inbound_proxies} // '') eq '*' && $lc->{urlbase} =~ /^https/) { + push @httpd_args, '-DHTTPS'; + } + elsif (not $lc->{urlbase} =~ /^https/) { + WARN("HTTPS urlbase but inbound_proxies is not '*'"); + } my $httpd_exit_f = run_httpd(@httpd_args); return Future->wait_any($cereal_exit_f, $httpd_exit_f, $signal_f); diff --git a/Bugzilla/Install/Localconfig.pm b/Bugzilla/Install/Localconfig.pm index 646dbc1a7..ba8e8dc57 100644 --- a/Bugzilla/Install/Localconfig.pm +++ b/Bugzilla/Install/Localconfig.pm @@ -43,7 +43,7 @@ our @EXPORT_OK = qw( # might want to change this for upstream use constant ENV_PREFIX => 'BMO_'; -use constant PARAM_OVERRIDE => qw( inbound_proxies shadowdb shadowdbhost shadowdbport shadowdbsock ); +use constant PARAM_OVERRIDE => qw( shadowdb shadowdbhost shadowdbport shadowdbsock ); sub _sensible_group { return '' if ON_WINDOWS; @@ -135,7 +135,6 @@ use constant LOCALCONFIG_VARS => ( { name => 'param_override', default => { - inbound_proxies => undef, memcached_servers => undef, memcached_namespace => undef, shadowdb => undef, @@ -172,6 +171,10 @@ use constant LOCALCONFIG_VARS => ( name => 'ses_password', default => '', }, + { + name => 'inbound_proxies', + default => _migrate_param( 'inbound_proxies', '' ), + }, ); diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index c23e738e6..91f06e650 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -270,7 +270,7 @@ sub do_ssl_redirect_if_required { # Returns the real remote address of the client, sub remote_ip { my $remote_ip = $ENV{'REMOTE_ADDR'} || '127.0.0.1'; - my @proxies = split(/[\s,]+/, Bugzilla->get_param_with_override('inbound_proxies')); + my @proxies = split(/[\s,]+/, Bugzilla->localconfig->{inbound_proxies}); my @x_forwarded_for = split(/[\s,]+/, $ENV{HTTP_X_FORWARDED_FOR} // ''); return $remote_ip unless @x_forwarded_for; diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl index 75885b3f4..92c84d703 100644 --- a/template/en/default/admin/params/advanced.html.tmpl +++ b/template/en/default/admin/params/advanced.html.tmpl @@ -54,15 +54,6 @@ [% END %] [% param_descs = { - inbound_proxies => - "When inbound traffic to $terms.Bugzilla goes through a proxy," - _ " $terms.Bugzilla thinks that the IP address of every single" - _ " user is the IP address of the proxy. If you enter a comma-separated" - _ " list of IPs in this parameter, then $terms.Bugzilla will trust any" - _ " <code>X-Forwarded-For</code> header sent from those IPs," - _ " and use the value of that header as the end user's IP address." - _ " If set to a *, $terms.Bugzilla will trust the first value in the " - _ " X-Forwarded-For header.", proxy_url => "$terms.Bugzilla may have to access the web to get notifications about" diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl index ce4785b04..9de426972 100644 --- a/template/en/default/setup/strings.txt.pl +++ b/template/en/default/setup/strings.txt.pl @@ -181,6 +181,11 @@ For the "Difference Between Two Patches" feature to work, we need to know what directory the "diff" bin is in. (You only need to set this if you are using that feature of the Patch Viewer.) END + localconfig_inbound_proxies => <<'END', +This is a list of IP addresses that we expect proxies to come from. +This can be '*' if only the load balancer can connect. +Setting this to '*' means that we can trust the X-Forwarded-For header. +END localconfig_index_html => <<'END', Most web servers will allow you to use index.cgi as a directory index, and many come preconfigured that way, but if yours doesn't |