Koha/etc/koha-conf.xml
Kyle M Hall a6838a3e35
Bug 23068: Add ability for Koha to handle X-Forwarded-For headers so REMOTE_ADDR features work behind a proxy
Koha has a number of features that rely on knowing the IP address of the connecting client. If that server is behind a proxy these features do not work.
This patch adds a module to automatically convert the X-Forwarded-For header into the REMOTE_ADDR environment variable for both CGI and Plack processes.

TEST PLAN:
1) Apply this patch set
2) Install Plack::Middleware::RealIP via cpanm or your favorite utility
3) Update your plack.psgi with the changes you find in this patch set ( this process differs based on your testing environment )
4) Restart plack
5) Tail the plack error log for your instance
6) Use curl to access the OPAC, adding an X-Forwarded-For header: curl --header "X-Forwarded-For: 32.32.32.32" http://127.0.0.1:8080
7) Note the logs output this address if you are unproxied
8) If you are proxied, restart plack using a command like below, where the ip you see in the logs ("REAL IP) is what you put in the koha conf:
    <koha_trusted_proxies>172.22.0.1 1.1.1.1</koha_trusted_proxies>
9) Restart all the things!
10) Repeat step 6
11) You should now see "REAL IP: 32.32.32.32" in the plack logs as the remote address in your plack-error.log logs!
12) Disable plack so you are running in cgi mode, repeat step 6 again
13) You should see "REAL IP: 32.32.32.32" as the remove address in your opac-error.log logs!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Ed Veal <eveal@mckinneytexas.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-10-31 16:10:17 +00:00

222 lines
10 KiB
XML

<yazgfs>
<!-- [scheme:]host[:port][/databaseName] -->
<!-- scheme: tcp, ssl, unix, http, sru -->
<!-- can run all servers on tcp, but the unix socket is faster -->
<listen id="biblioserver" >unix:__ZEBRA_RUN_DIR__/bibliosocket</listen>
<listen id="authorityserver" >unix:__ZEBRA_RUN_DIR__/authoritysocket</listen>
<!-- Uncomment the following entry if you want to run the public Z39.50 server.
Also uncomment the <server> and <serverinfo> sections for id 'publicserver'
under PUBLICSERVER'S BIBLIOGRAPHIC RECORDS title-->
<!--
<listen id="publicserver" >tcp:@:__ZEBRA_SRU_BIBLIOS_PORT__</listen>
-->
<!-- Settings for special biblio server instance for PazPar2.
Because PazPar2 only connects to a Z39.50 server using TCP/IP,
it cannot use the Unix-domain socket that biblioserver uses.
Therefore, a custom server is defined. -->
__PAZPAR2_TOGGLE_XML_PRE__
<listen id="mergeserver">tcp:@:__MERGE_SERVER_PORT__</listen>
<server id="mergeserver" listenref="mergeserver">
<directory>__ZEBRA_DATA_DIR__/biblios</directory>
<config>__ZEBRA_CONF_DIR__/__ZEBRA_BIB_CFG__</config>
<cql2rpn>__ZEBRA_CONF_DIR__/pqf.properties</cql2rpn>
</server>
__PAZPAR2_TOGGLE_XML_POST__
<!-- BIBLIOGRAPHIC RECORDS -->
<server id="biblioserver" listenref="biblioserver">
<directory>__ZEBRA_DATA_DIR__/biblios</directory>
<config>__ZEBRA_CONF_DIR__/__ZEBRA_BIB_CFG__</config>
<cql2rpn>__ZEBRA_CONF_DIR__/pqf.properties</cql2rpn>
<xi:include href="__KOHA_CONF_DIR__/zebradb/__BIB_RETRIEVAL_CFG__" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="__KOHA_CONF_DIR__/zebradb/explain-biblios.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</server>
<serverinfo id="biblioserver">
<ccl2rpn>__ZEBRA_CONF_DIR__/ccl.properties</ccl2rpn>
<user>__ZEBRA_USER__</user>
<password>__ZEBRA_PASS__</password>
</serverinfo>
<!-- AUTHORITY RECORDS -->
<server id="authorityserver" listenref="authorityserver" >
<directory>__ZEBRA_DATA_DIR__/authorities</directory>
<config>__ZEBRA_CONF_DIR__/__ZEBRA_AUTH_CFG__</config>
<cql2rpn>__ZEBRA_CONF_DIR__/pqf.properties</cql2rpn>
<xi:include href="__KOHA_CONF_DIR__/zebradb/__AUTH_RETRIEVAL_CFG__" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="__KOHA_CONF_DIR__/zebradb/explain-authorities.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</server>
<serverinfo id="authorityserver">
<ccl2rpn>__ZEBRA_CONF_DIR__/ccl.properties</ccl2rpn>
<user>__ZEBRA_USER__</user>
<password>__ZEBRA_PASS__</password>
</serverinfo>
<!-- PUBLICSERVER'S BIBLIOGRAPHIC RECORDS -->
<!--
<server id="publicserver" listenref="publicserver">
<directory>__ZEBRA_DATA_DIR__/biblios</directory>
<config>__ZEBRA_CONF_DIR__/__ZEBRA_BIB_CFG__</config>
<cql2rpn>__ZEBRA_CONF_DIR__/pqf.properties</cql2rpn>
<xi:include href="__KOHA_CONF_DIR__/zebradb/__BIB_RETRIEVAL_CFG__" xmlns:xi="http://www.w3.org/2001/XInclude"/>
<xi:include href="__KOHA_CONF_DIR__/zebradb/explain-biblios.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
</server>
<serverinfo id="publicserver">
<ccl2rpn>__ZEBRA_CONF_DIR__/ccl.properties</ccl2rpn>
<user>__ZEBRA_USER__</user>
<password>__ZEBRA_PASS__</password>
</serverinfo>
-->
<!-- ADDITIONAL KOHA CONFIGURATION DIRECTIVE -->
<!-- db_scheme should follow the DBD driver name -->
<!-- the DBD drivers supported by Koha are mysql and Pg -->
<!-- port info: mysql:3306 Pg:5432 (5433 on Debian) -->
<config>
<db_scheme>__DB_TYPE__</db_scheme>
<database>__DB_NAME__</database>
<hostname>__DB_HOST__</hostname>
<port>__DB_PORT__</port>
<user>__DB_USER__</user>
<pass>__DB_PASS__</pass>
<tls>__DB_USE_TLS__</tls>
<ca>__DB_TLS_CA_CERTIFICATE__</ca>
<cert>__DB_TLS_CLIENT_CERTIFICATE__</cert>
<key>__DB_TLS_CLIENT_KEY__</key>
<biblioserver>biblios</biblioserver>
<biblioservershadow>1</biblioservershadow>
<authorityserver>authorities</authorityserver>
<authorityservershadow>1</authorityservershadow>
<pluginsdir>__PLUGINS_DIR__</pluginsdir> <!-- This entry can be repeated to use multiple directories -->
<enable_plugins>0</enable_plugins>
<upload_path></upload_path>
<tmp_path></tmp_path>
<intranetdir>__INTRANET_CGI_DIR__</intranetdir>
<opacdir>__OPAC_CGI_DIR__/opac</opacdir>
<opachtdocs>__OPAC_TMPL_DIR__</opachtdocs>
<intrahtdocs>__INTRANET_TMPL_DIR__</intrahtdocs>
<includes>__INTRANET_TMPL_DIR__/prog/en/includes/</includes>
<logdir>__LOG_DIR__</logdir>
<docdir>__DOC_DIR__</docdir>
<backupdir>__BACKUP_DIR__</backupdir>
<!-- Enable the two following to allow superlibrarians to download
database and configuration dumps (respectively) from the Export
tool -->
<backup_db_via_tools>0</backup_db_via_tools>
<backup_conf_via_tools>0</backup_conf_via_tools>
<!-- Uncomment the following line if you are not using packages and need to schedule reports through the web interface. supportdir should contain cronjobs/runreport.pl -->
<!--
<supportdir>__SCRIPT_NONDEV_DIR__</supportdir>
-->
<pazpar2url>http://__PAZPAR2_HOST__:__PAZPAR2_PORT__/search.pz2</pazpar2url>
<install_log>__MISC_DIR__/koha-install-log</install_log>
<useldapserver>0</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
<useshibboleth>0</useshibboleth><!-- see C4::Auth_with_shibboleth for extra configs you must do to turn this on -->
<zebra_lockdir>__ZEBRA_LOCK_DIR__</zebra_lockdir>
<use_zebra_facets>1</use_zebra_facets>
<queryparser_config>__KOHA_CONF_DIR__/searchengine/queryparser.yaml</queryparser_config>
<log4perl_conf>__KOHA_CONF_DIR__/log4perl.conf</log4perl_conf>
<memcached_servers>__MEMCACHED_SERVERS__</memcached_servers>
<memcached_namespace>__MEMCACHED_NAMESPACE__</memcached_namespace>
<template_cache_dir>__TEMPLATE_CACHE_DIR__</template_cache_dir>
<!-- Secret passphrase used by Mojolicious for signed cookies -->
<api_secret_passphrase>CHANGEME</api_secret_passphrase>
<!-- Accessible directory from the staff client, uncomment the following line and define a valid path to let the intranet user access it-->
<!--
<access_dirs>
<access_dir></access_dir>
<access_dir></access_dir>
</access_dirs>
-->
<!-- true type font mapping accoding to type from $font_types in C4/Creators/Lib.pm -->
<ttf>
<font type="TR" >__FONT_DIR__/DejaVuSerif.ttf</font>
<font type="TB" >__FONT_DIR__/DejaVuSerif-Bold.ttf</font>
<font type="TI" >__FONT_DIR__/DejaVuSerif-Italic.ttf</font>
<font type="TBI">__FONT_DIR__/DejaVuSerif-BoldItalic.ttf</font>
<font type="C" >__FONT_DIR__/DejaVuSansMono.ttf</font>
<font type="CB" >__FONT_DIR__/DejaVuSansMono-Bold.ttf</font>
<font type="CO" >__FONT_DIR__/DejaVuSansMono-Oblique.ttf</font>
<font type="CBO">__FONT_DIR__/DejaVuSansMono-BoldOblique.ttf</font>
<font type="H" >__FONT_DIR__/DejaVuSans.ttf</font>
<font type="HO" >__FONT_DIR__/DejaVuSans-Oblique.ttf</font>
<font type="HB" >__FONT_DIR__/DejaVuSans-Bold.ttf</font>
<font type="HBO">__FONT_DIR__/DejaVuSans-BoldOblique.ttf</font>
</ttf>
<!-- Path to the config file for SMS::Send -->
<sms_send_config>__KOHA_CONF_DIR__/sms_send/</sms_send_config>
<!-- URL of the mana KB server -->
<!-- alternative value https://mana-test.koha-community.org to query the test server -->
<mana_config>https://mana-kb.koha-community.org</mana_config>
<!-- Configuration for Plack -->
<plack_max_requests>50</plack_max_requests>
<plack_workers>2</plack_workers>
<!-- Configuration for X-Forwarded-For -->
<!--
<koha_trusted_proxies>1.2.3.4 2.3.4.5 3.4.5.6</koha_trusted_proxies>
-->
<!-- Elasticsearch Configuration -->
<elasticsearch>
<server>__ELASTICSEARCH_SERVERS__</server>
<index_name>__ELASTICSEARCH_INDEX_____DB_NAME__</index_name>
<!-- See https://metacpan.org/pod/Search::Elasticsearch#cxn_pool -->
<cxn_pool>Static</cxn_pool>
</elasticsearch>
<!-- Uncomment the following line if you want to override the Elasticsearch default index settings -->
<!-- <elasticsearch_index_config>__KOHA_CONF_DIR__/searchengine/elasticsearch/index_config.yaml</elasticsearch_index_config> -->
<!-- Uncomment the following line if you want to override the Elasticsearch default field settings -->
<!-- <elasticsearch_field_config>__KOHA_CONF_DIR__/searchengine/elasticsearch/field_config.yaml</elasticsearch_field_config> -->
<!-- Uncomment the following line if you want to override the Elasticsearch index default settings.
Note that any changes made to the mappings file only take effect if you reset the mappings in
by visiting /cgi-bin/koha/admin/searchengine/elasticsearch/mappings.pl?op=reset&i_know_what_i_am_doing=1&reset_fields=1.
Resetting mappings will override any changes made in the Search engine configuration UI.
-->
<!-- <elasticsearch_index_mappings>__KOHA_CONF_DIR__/searchengine/elasticsearch/mappings.yaml</elasticsearch_index_mappings> -->
<interlibrary_loans>
<!-- Path to where Illbackends are located on the system
- This setting should normally not be touched -->
<backend_directory>__PERL_MODULE_DIR__/Koha/Illbackends</backend_directory>
<!-- At least one <branch> block is required. -->
<branch>
<!-- The code of this branch -->
<code>CPL</code>
<!-- An optional prefix for all ILL request IDs for this branch -->
<prefix>ILL</prefix>
</branch>
<!-- How should we treat staff comments?
- hide: don't show in OPAC
- show: show in OPAC -->
<staff_request_comments>hide</staff_request_comments>
<!-- How should we treat the reply_date field?
- hide: don't show this field in the UI
- any other string: show, with this label -->
<reply_date>hide</reply_date>
<!-- Where should digital ILLs be sent?
- borrower: send it straight to the borrower email
- branch: send the ILL to the branch email -->
<digital_recipient>branch</digital_recipient>
<!-- What patron category should we use for p2p ILL requests?
- By default this is set to 'ILLLIBS' -->
<partner_code>ILLLIBS</partner_code>
</interlibrary_loans>
<!-- The timezone setting can let you force the timezone for this
instance to be something other then the local timezone of the
server. e.g. Antarctica/South_Pole -->
<timezone></timezone>
</config>
</yazgfs>