Skip to content

v0.9.0

Latest

Choose a tag to compare

@mxhash mxhash released this 25 Jun 12:39

First public release.

Makes RT trust X-Forwarded-* headers (scheme/host/port/client-IP) when it
runs behind a reverse proxy (nginx, haproxy, …) that terminates TLS and
forwards to rt-server/Starlet over plain HTTP. Without this, RT computes
request URLs as e.g. http://host:9000, which breaks absolute URLs,
$RestrictReferrer, inline edit and secure cookies.

Highlights

  • Uses RT's supported PSGIWrap plugin hook to wrap the PSGI app with
    Plack::Middleware::ReverseProxy. Activating the plugin is enough — the
    rt-server -e 'enable "ReverseProxy"' route is silently ignored because
    RT::PlackRunner pre-builds the PSGI app (documented in the README).
  • Trusted-proxy filtering via $ReverseProxy_TrustedProxies: forwarded
    headers are only honoured when REMOTE_ADDR matches the configured
    IPs/CIDRs (Net::CIDR). Unset = trust all (back-compat); see the security
    note in the README before exposing the PSGI port.

Requirements

  • RT 6.0.0 or later
  • Plack::Middleware::ReverseProxy (ships as an RT dependency)
  • Net::CIDR (only when $ReverseProxy_TrustedProxies is set)

Install

perl -I. Makefile.PL && make && make install

Then Plugin('RT::Extension::ReverseProxy'); in RT_SiteConfig.pm, clear the
Mason cache and restart. See the README for full configuration.