Red Hat SummitChapter 2. Configuring proxy support for Red Hat Ansible Automation Platform
You can configure Red Hat Ansible Automation Platform to communicate with traffic using a proxy. Proxy servers act as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service or available resource from a different server, and the proxy server evaluates the request as a way to simplify and control its complexity. The following sections describe the supported proxy configurations and how to set them up.
2.1. Enabling proxy support through a load balancer
A forward proxy deals with client traffic, regulating and securing it. To provide proxy server support, automation controller handles proxied requests (such as ALB, NLB , HAProxy, Squid, Nginx and tinyproxy in front of automation controller) using the REMOTE_HOST_HEADERS list variable in the automation controller settings. By default, REMOTE_HOST_HEADERS is set to ["REMOTE_ADDR", "REMOTE_HOST"].
To enable proxy server support, edit the REMOTE_HOST_HEADERS field in the settings page for your automation controller:
Procedure
-
From the navigation panel, select
. - Click
In the Remote Host Headers field, enter the following values:
[ "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR", "REMOTE_HOST" ]
[ "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR", "REMOTE_HOST" ]Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Click to save your settings.
Automation controller determines the remote host’s IP address by searching through the list of headers in Remote Host Headers until the first IP address is located.
2.2. Known proxies
When automation controller is configured with REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR', 'REMOTE_ADDR', 'REMOTE_HOST'], it assumes that the value of X-Forwarded-For has originated from the proxy/load balancer sitting in front of automation controller. If automation controller is reachable without use of the proxy/load balancer, or if the proxy does not validate the header, the value of X-Forwarded-For can be falsified to fake the originating IP addresses.
Using HTTP_X_FORWARDED_FOR in the REMOTE_HOST_HEADERS setting poses a vulnerability.
To avoid this, you can configure a list of known proxies that are allowed.
Procedure
-
From the navigation panel, select
. Enter a list of proxy IP addresses from which the service should trust custom remote header values in the Proxy IP Allowed List field.
NoteLoad balancers and hosts that are not on the known proxies list result in a rejected request.
2.2.1. Configuring known proxies
To configure a list of known proxies for your automation controller, add the proxy IP addresses to the Proxy IP Allowed List field in the System Settings page.
Procedure
-
From the navigation panel, select
. In the Proxy IP Allowed List field, enter IP addresses that are permitted to connect to your automation controller, using the syntax in the following example:
Example Proxy IP Allowed List entry
[ "example1.proxy.com:8080", "example2.proxy.com:8080" ]
[ "example1.proxy.com:8080", "example2.proxy.com:8080" ]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Important-
Proxy IP Allowed List requires proxies in the list are properly sanitizing header input and correctly setting an
X-Forwarded-Forvalue equal to the real source IP of the client. Automation controller can rely on the IP addresses and hostnames in Proxy IP Allowed List to provide non-spoofed values forX-Forwarded-For. Do not configure
HTTP_X_FORWARDED_FORas an item in Remote Host Headers unless all of the following conditions are satisfied:- You are using a proxied environment with ssl termination;
-
The proxy provides sanitization or validation of the
X-Forwarded-Forheader to prevent client spoofing; -
/etc/tower/conf.d/remote_host_headers.pydefinesPROXY_IP_ALLOWED_LISTthat contains only the originating IP addresses of trusted proxies or load balancers.
-
Proxy IP Allowed List requires proxies in the list are properly sanitizing header input and correctly setting an
- Click to save the settings.
2.3. Configuring a reverse proxy through a load balancer
A reverse proxy manages external requests to servers, offering load balancing and concealing server identities for added security. You can support a reverse proxy server configuration by adding HTTP_X_FORWARDED_FOR to the Remote Host Headers field in the Systems Settings. The X-Forwarded-For (XFF) HTTP header field identifies the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
Procedure
-
From the navigation panel, select
. In the Remote Host Headers field, enter the following values:
[ "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR", "REMOTE_HOST" ]
[ "HTTP_X_FORWARDED_FOR", "REMOTE_ADDR", "REMOTE_HOST" ]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Add the lines below to
/etc/tower/conf.d/custom.pyto ensure the application uses the correct headers:USE_X_FORWARDED_PORT = True USE_X_FORWARDED_HOST = True
USE_X_FORWARDED_PORT = True USE_X_FORWARDED_HOST = TrueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Click to save the settings.
2.4. Enable sticky sessions
By default, an application load balancer routes each request independently to a registered target based on the chosen load-balancing algorithm. To avoid authentication errors when running multiple instances of automation hub behind a load balancer, you must enable sticky sessions. Enabling sticky sessions sets a custom application cookie that matches the cookie configured on the load balancer to enable stickiness. This custom cookie can include any of the cookie attributes required by the application.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}