When hosting Password Pusher with a proxy, you can take advantage of the proxy’s features to enhance security, scalability, and performance. A proxy is often used to act as an SSL termination endpoint as well.

Required Proxy Headers

An occasional issue is that when using Password Pusher behind a proxy, the generated secret URLs are incorrect. They often have the backend URL & port instead of the public fully qualified URL - or use HTTP instead of HTTPS (or all of the preceding).

To resolve this, make sure your proxy properly forwards the X-Forwarded-Host, X-Forwarded-Port and X-Forwarded-Proto headers.

The values in these headers represent the front end request. When these headers are sent, Password Pusher can then build the correct URLs.

Nginx Example

As an example, for nginx, the addition could be:

proxy_set_header  X-Forwarded-Port $server_port;
proxy_set_header  X-Forwarded-Host $host;
proxy_set_header  X-Forwarded-Proto $scheme;
proxy_set_header  X-Forwarded-Ssl on;

Proxy Headers: Alternative Option

If you are unable to have these headers passed to the application for any reason, you could instead force an override of the base URL using the PWP__OVERRIDE_BASE_URL environment variable.

Environment Variable Description Example Value
PWP__OVERRIDE_BASE_URL Set this value (without a trailing slash) to force the base URL of generated links. ‘https://subdomain.domain.dev’

Trusted Proxies

By default, Password Pusher only trusts proxies on the local network. If your proxy is local, no additional configuration is required.

If you are using a remote proxy such as Cloudflare, an external F5 or other device that is not on the local network, you need to specifically authorize your proxy to Password Pusher for it to accept X-Forwarded-* proxy headers.

Why Use Trusted Proxies?

  • This setting ensures that only requests from trusted proxies are allowed to forward headers like X-Forwarded-For.
  • It provides an extra layer of security, preventing unauthorized or malicious actors from spoofing headers.

How to Use Trusted Proxies

  1. Identify the IP addresses of your external proxies (e.g., Cloudflare or other remote reverse proxies).
  2. Add those IP addresses to the trusted_proxies configuration in your environment or settings.yml configuration file.

Configuration via settings.yml

Example Configuration in settings.yml:

trusted_proxies:
  - '1.2.3.4'
  - '2.3.4.5'

Configuration via Environment Variable

If you prefer, you can set the trusted proxies directly through an environment variable:

PWP__TRUSTED_PROXIES='1.2.3.4'

__or__

PWP__TRUSTED_PROXIES='1.2.3.4,2.3.4.5'

Updated: