Configuring CF10 to use X-forwarded-for instead of remote_addr

Report · Jan 21, 2014

I am using an AWS instance behind a load balancer with NAT. It has its advantages, but one of its disadvantages is the remote_addr coming through is the remote_addr of the ELB.

http://leaguemanager.playerspace.com/test.cfm

What I'm trying to do is trick or configure the CF10 Administrator > Debugging and Logging > Enabled Request Debugging Output to use the x-forwarded-for as opposed to the remote_addr so I can use server debugging without that information being made visible to the public.

Is this possible by, say, modifying a file somewhere, to have the IP addresses set in Debugging and Logging > Debugging IP Addresses to be matched with the true client's personal IP (x-forwarded-for)?

JS

Report · Jan 21, 2014

Never mind, I figured it out.

c:\coldfusion10\cfusion\runtime\conf\server.xml

Added

<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />

Report · Apr 10, 2018

We want to take this a step further... We'd like to use OneLogin for credentialing and only make CFDebug output shown to people who are logged in with the right credentials. Do you know if there is a way to instead of looking at IP addresses to examine the role of the logged in person?

Report · Apr 10, 2018

That should be easily done. Are the people logged on with name/password? Or is there a smart card (like a CAC) involved?

I'm Googling OneLogin, now.

What version of CF are you running? Apache, or IIS?

V/r,

^ _ ^

Report · Apr 10, 2018

Right now we are on IIS CF10, working on moving to Docker containers. Users login with Username/password.

Report · Apr 10, 2018

I would reach out to OneLogin support and find out how they present authorization after the login (I'm not finding it on their site.) I know nothing of third-party IDaaS methods, nor Dockers. I'm just a CF guy (been coding CF since late 2000.) But where I work, we use CACs to log on to the network, and CF + Apache can access the certs, giving us the ability to control who has access to what in our sites and apps. I'm sure OneLogin can do the same. You can either hard-code the authorized IDs into the application.cfc, or set up a database for the authorized IDs, and go from there.

V/r,

^ _ ^

Report · Apr 10, 2018

Thanks, my question was less about how to figure out if our Developers are logged in with a developer role, we can already do that. It's more about figuring out how to only output debug info if developers are logged in. We'd like to avoid turn on debug for everyone and then try to programmatically turn it off for everyone who's not a developer, hackers can probably find a way around that by going directly to a cfinclude page or something that might not have debug excluded. What I'd love to find is a cftag that can output the same cfdebug info but only when we choose, so I can check if a Developer is logged in and the server is Development or Stage and then output Debug info. Can't find a way to do that yet...

Report · Apr 10, 2018

</cfcase>

</cfdefaultcase>

</cfswitch>

HTH,

^ _ ^

Adobe Community

Configuring CF10 to use X-forwarded-for instead of remote_addr