First public release.
Makes RT trust X-Forwarded-* headers (scheme/host/port/client-IP) when it
runs behind a reverse proxy (nginx, haproxy, …) that terminates TLS and
forwards to rt-server/Starlet over plain HTTP. Without this, RT computes
request URLs as e.g. http://host:9000, which breaks absolute URLs,
$RestrictReferrer, inline edit and secure cookies.
Highlights
- Uses RT's supported
PSGIWrapplugin hook to wrap the PSGI app with
Plack::Middleware::ReverseProxy. Activating the plugin is enough — the
rt-server -e 'enable "ReverseProxy"'route is silently ignored because
RT::PlackRunnerpre-builds the PSGI app (documented in the README). - Trusted-proxy filtering via
$ReverseProxy_TrustedProxies: forwarded
headers are only honoured whenREMOTE_ADDRmatches the configured
IPs/CIDRs (Net::CIDR). Unset = trust all (back-compat); see the security
note in the README before exposing the PSGI port.
Requirements
- RT 6.0.0 or later
Plack::Middleware::ReverseProxy(ships as an RT dependency)Net::CIDR(only when$ReverseProxy_TrustedProxiesis set)
Install
perl -I. Makefile.PL && make && make install
Then Plugin('RT::Extension::ReverseProxy'); in RT_SiteConfig.pm, clear the
Mason cache and restart. See the README for full configuration.