Overview
FogBugz On-Premises has extensive configuration options which allow it to be deployed in many different network configurations. This article describes the network configuration options available as well as some common configuration scenarios. If you have a configuration other than those described, please contact us for more help.
Prerequisites
- Administrator right on IIS Server
Information
Registry Values
FogBugz On Premises configuration is controlled by values in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Fog Creek Software\FogBugz\<install directory>
. The following are related to how FogBugz behaves relative to your network.
sTrustedForwardedByHeader
This value determines how FogBugz determines the IP Address of the requests it serves. If it is unset or empty (the default), FogBugz will use the REMOTE_ADDR header. If it is set to any other {value}, FogBugz will use the X-FORWARDED-FOR header only if X-FORWARDED-BY is {value}.
srgTrustedNetworks
This value determines what IP Addresses are able to reach certain administrative or debugging endpoints in FogBugz. If it is unset (the default), only traffic originating from the FogBugz web server is able to reach these endpoints. To allow certain addresses access to these endpoints, use a comma separated list of IPv4 and IPv6 addresses. If an address ends with a subnet, the address represents all of the addresses in that range. For example, the value "192.168.37.53,192.168.37.54,2001:db8:85a3::8a2e:370:7334,10.1.101.0/24"
allows access to computers at the following ip addresses:
- 192.168.37.53
- 192.168.37.54
- 2001:db8:85a3::8a2e:370:7334
- 10.1.101.1 to 10.1.101.254
If you configure srgTrustedNetworks, we recommend also configuring a value for sTrustedOriginHeader.
sTrustedOriginHeader
This value determines what requests are allowed to “advanced” administrative or debugging endpoints. If it is unset (the default), all requests originating from all TrustedNetworks are allowed. If set to any {value}, only local requests or requests with {value} as a header are allowed. Here is an example of a non-local request to modify the full text index when sTrustedOriginHeader is set to X-Request-Is-From-A-Power-User
:
curl -H "X-Request-Is-From-A-Power-User:True" "http://fogbugz.example.com/f/tasks/indexer/heal?start=2016-12-23T05:30:10Z&end=2016-12-25T07:30:10Z"
Common Scenarios
Reverse Proxy
To ensure that requests passing through a reverse proxy are properly handled, set sTrustedForwardedByHeader to some value and configure your reverse proxy to set X-FORWARDED-BY to the same value.
Non-Local Debugging
To allow users to access debugging endpoints and view stack traces and the miniprofiler, configure srgTrustedNetworks to the IP Addresses you’d like to permit. Make sure to also set sTrustedOriginHeader so that potentially destructive endpoints are prevented from accidental use.