|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________ Dspace-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-devel
[20:02] <tdonohue> kicking off today with #297 / DS-1654 : https://github.com/DSpace/DSpace/pull/297
[20:02] <kompewter> [ DS-1654 by jpiscanc · Pull Request #297 · DSpace/DSpace · GitHub ] - https://github.com/DSpace/DSpace/pull/297
[20:02] <kompewter> [ https://jira.duraspace.org/browse/DS-1654 ] - [#DS-1654] IP-Based authentication fails if load-balancer/proxy - DuraSpace JIRA
[20:03] * StuartLewis (~[email protected]) has joined #duraspace
[20:04] * hpottinger cheers for the Edinburgh crew
[20:04] <bollini> look good, not sure about security implications
[20:05] * l_a_p (~[email protected]) has joined #duraspace
[20:05] <bollini> we should suggest a more standard name for the configuration parameter (English folks please help)
[20:05] * vtkeithg (~[email protected]) has joined #duraspace
[20:06] <hpottinger> perhaps "proxy" is a more generic term?
[20:06] <helix84> wait, we already have such config property
[20:07] * StuartLewis (~[email protected]) Quit (Client Quit)
[20:07] <tdonohue> proxy does seem like a better term here
[20:07] <bollini> mmm, I think that here we have done some wrong
[20:08] <bollini> proxy was introduced to allow dspace to see the external world
[20:08] * aschweer (~[email protected]) has joined #duraspace
[20:08] <bollini> here we are talking about a load-balancer so dspace see user as coming from a single ip
[20:09] <helix84> it slipped my mind what it's called
[20:09] <bollini> there are case where dspace need a proxy but is not behind a load-balancer and viceversa
[20:10] <aschweer> we have xmlui.controlpanel.activity.ipheader = X-Forward-For which is triggered by useProxies = true
[20:10] <helix84> useProxies
[20:10] <helix84> yes :)
[20:12] <tdonohue> I admit this is an area of DSpace I'm not as familiar with..mostly cause I've never set it up to use proxies. But, is there someone here who would like to add comments on PR #297 and help it get in? The idea seems good, i just don't know what to suggest myself
[20:12] <helix84> # If enabled, the logging and the solr statistics system will look for
[20:12] <helix84> # an X-Forward header. If it finds it, it will use this for the user IP address
[20:12] <helix84> #useProxies = true
[20:14] <helix84> bollini: what you call load balancer can be also called a reverse proxy and it can pass X-Forwarded-For headers, too. E.g. Squid can.
[20:14] <bollini> helix84: yes
[20:15] <bollini> probably we only need to clarify better the documentation
[20:15] <helix84> bollini: so, is there anything that concerns you?
[20:15] <bollini> check this old version, not able to find in the current documentation http://www.dspace.org/1_6_0Documentation/ch05.html#N12E28
[20:15] <kompewter> [ Chapter 5. DSpace System Documentation: Configuration ] - http://www.dspace.org/1_6_0Documentation/ch05.html#N12E28
[20:16] <aschweer> But according to the commit message, DSpace currently assumes that X-Forwarded-For is a comma-separated list while it appears to be passed in as an Enumeration instead. That sounds like a bug to me, not lack in documentation.
[20:17] <helix84> bollini: http.proxy.host is used in case when DSpace is behind a regular (not reverse) proxy
[20:17] <bollini> I was confused about the useProxy settings I had guest that it come from http.proxy.host I had missed that we have a different parameter for that... so sorry for the confusion
[20:17] <tdonohue> this ticket/PR sounds like it needs more eyes in general. I'm wondering if we should table it so that a few folks can look at it "offline" and report back? Anyone willing to take a closer look?
[20:18] <helix84> aschweer: good catch, could you please create a Jira issue so that we don't forget about it?
[20:19] <aschweer> helix84: I thought https://jira.duraspace.org/browse/DS-1654 already says so :)
[20:19] <kompewter> [ [#DS-1654] IP-Based authentication fails if load-balancer/proxy - DuraSpace JIRA ] - https://jira.duraspace.org/browse/DS-1654
[20:19] <kompewter> [ https://jira.duraspace.org/browse/DS-1654 ] - [#DS-1654] IP-Based authentication fails if load-balancer/proxy - DuraSpace JIRA
[20:19] <aschweer> I'm happy to have a look at this. we're not using load balancing but I can spin up a squid if necessary
[20:19] <tdonohue> As we are already nearly 20 mins into the meeting, I'm gonna suggest we move along here (rather then spend too much more time on this one PR)
[20:20] <helix84> aschweer: Right, sorry. I didn't see the forest for the trees.
[20:20] <aschweer> helix84: all good :)
[20:20] <tdonohue> And I'm also gonna move us along to the main part of the agenda (since I'm assuming that's what most folks are here for -- lots of attendees this week!)
[20:20] <aschweer> I've assigned the Jira issue & PR to me