So…you’re using MVC3 right? Good. And you’re using the awesome new server debugging/troubleshooting tool Glimpse right? Naturally! And you’re deploying to fantastic AppHarbor platform right? Of course you are! And they all go together like peanut butter and chocolate right? WRONG!
While all 3 of these things are quite awesome, you’ll be quite disappointed when you push your site to AppHarbor and then try to get a Glimpse into what’s happening on the server-side. This is because Glimpse, by default, only allows you to use it from localhost and if you want to use it from any other hosts you have to specify the IPs in the web.config. OK, that’s cool, I’ll just add my public IP and we’ll be in business right? Nope. That’s because the IP restrictions are enforced by this code:
So, what’s wrong with that? Nothing. The problem lies in the architecture of AppHarbor. They use load balancers to send requests to the server your app is running on. That means that Request.UserHostAddress is going to be the IP of the load balancer rather than the actual client.
At this point you have two options:
- Add the IP of the load balancer
- Allow all IPs
Both of these result in any client being allowed to turn on Glimpse on your site. That’s not good. It reveals too much info about your server. The code could be updated to also check the HTTP_X_FORWARDED_FOR header value but that would be pretty easy to fake in a non-loadbalanced environment.
#1 by Troels Thomsen on July 7, 2011 - 4:27 pm
Quote
I would recommend going with the X-Forwarded-For header. It is true that this could potentially break in other environments, but it is still the de facto standard when working with load-balancing.
In case you’re worried about the risk, you could add a variable on AppHarbor that gets injected to the configuration file. If this variable isn’t set, you can avoid considering the X-Forwarded-For header.
#2 by Andrew Ma on July 30, 2011 - 3:28 pm
Quote
Looks like this was resolved. Details here: https://github.com/Glimpse/Glimpse/pull/88