Proxies & Password Pusher
When hosting Password Pusher with a proxy, you can take advantage of the proxy’s features to enhance security, scalability, and performance. A proxy is often used to act as an SSL termination endpoint as well.
Required Proxy Headers
An occasional issue is that when using Password Pusher behind a proxy, the generated secret URLs are incorrect. They often have the backend URL & port instead of the public fully qualified URL - or use HTTP instead of HTTPS (or all of the preceding).
To resolve this, make sure your proxy properly forwards the X-Forwarded-Host
, X-Forwarded-Port
and X-Forwarded-Proto
headers.
The values in these headers represent the front end request. When these headers are sent, Password Pusher can then build the correct URLs.
Nginx Example
As an example, for nginx, the addition could be:
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
Proxy Headers: Alternative Option
If you are unable to have these headers passed to the application for any reason, you could instead force an override of the base URL using the PWP__OVERRIDE_BASE_URL
environment variable.
Environment Variable | Description | Example Value |
---|---|---|
PWP__OVERRIDE_BASE_URL | Set this value (without a trailing slash) to force the base URL of generated links. | ‘https://subdomain.domain.dev’ |
Trusted Proxies
By default, Password Pusher only trusts proxies on the local network. If your proxy is local, no additional configuration is required.
If you are using a remote proxy such as Cloudflare, an external F5 or other device that is not on the local network, you need to specifically authorize your proxy to Password Pusher for it to accept X-Forwarded-*
proxy headers.
Why Use Trusted Proxies?
- This setting ensures that only requests from trusted proxies are allowed to forward headers like
X-Forwarded-For
. - It provides an extra layer of security, preventing unauthorized or malicious actors from spoofing headers.
How to Use Trusted Proxies
- Identify the IP addresses of your external proxies (e.g., Cloudflare or other remote reverse proxies).
- Add those IP addresses to the
trusted_proxies
configuration in your environment orsettings.yml
configuration file.
Configuration via settings.yml
Example Configuration in settings.yml
:
trusted_proxies:
- '1.2.3.4'
- '2.3.4.5'
Configuration via Environment Variable
If you prefer, you can set the trusted proxies directly through an environment variable:
PWP__TRUSTED_PROXIES='1.2.3.4'
__or__
PWP__TRUSTED_PROXIES='1.2.3.4,2.3.4.5'