From 5cf11f87c8b858a1e13fda34975a262d1f311782 Mon Sep 17 00:00:00 2001 From: David Chidell Date: Wed, 10 Mar 2021 23:18:39 +0000 Subject: [PATCH] docs(authorizer): important headers for access-control networks (#1794) * Document X-Forwarded-For capabilities within access-control networks Adds a short paragraph detailing X-Forwarded-For header behaviour into the documentation. * Update docs/configuration/access-control.md Co-authored-by: James Elliott Co-authored-by: James Elliott --- docs/configuration/access-control.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuration/access-control.md b/docs/configuration/access-control.md index def8a463e..15cc1a6b7 100644 --- a/docs/configuration/access-control.md +++ b/docs/configuration/access-control.md @@ -139,6 +139,9 @@ A list of network addresses, ranges (CIDR notation) or groups can be specified i policies when requests originate from different networks. This list can contain both literal definitions of networks and [network aliases](#network-aliases). +Network addresses specified will be matched against the first IP in the X-Forwarded-For, and if there is none it will fall back to the IP address of the request. If using Authelia with a reverse proxy, additional configuration +may be required on the reverse proxy to ensure these headers are present and correct. + Main use cases for this rule option is to adjust the security requirements of a resource based on the location of the user. For example lets say a resource should be exposed both on the Internet and from an authenticated VPN for instance. Passing a second factor a first time to get access to the VPN and