Glimpse + AppHarbor = Sad Face :(

So...you're using MVC3 right? Good. And you're using the awesome new server debugging/troubleshooting tool Glimpse right? Naturally! And you're deploying to fantastic AppHarbor platform right? Of course you are! And they all go together like peanut butter and chocolate right? WRONG!

While all 3 of these things are quite awesome, you'll be quite disappointed when you push your site to AppHarbor and then try to get a Glimpse into what's happening on the server-side. This is because Glimpse, by default, only allows you to use it from localhost and if you want to use it from any other hosts you have to specify the IPs in the web.config. OK, that's cool, I'll just add my public IP and we'll be in business right? Nope. That's because the IP restrictions are enforced by this code:

using System.Web;  
using Glimpse.Core.Configuration;  
using Glimpse.Core.Extensibility;

namespace Glimpse.Core.Validator  
{
    [GlimpseValidator]
    internal class IpAddressValidator:IGlimpseValidator{
        public bool IsValid(HttpContextBase context, GlimpseConfiguration configuration, LifecycleEvent lifecycleEvent)
        {
            if (configuration.IpAddresses.Count == 0) return true; //no configured list, allow all IP's

            return configuration.IpAddresses.Contains(context.Request.UserHostAddress);
        }
    }
}

So, what's wrong with that? Nothing. The problem lies in the architecture of AppHarbor. They use load balancers to send requests to the server your app is running on. That means that Request.UserHostAddress is going to be the IP of the load balancer rather than the actual client.

At this point you have two options:

  • Add the IP of the load balancer
  • Allow all IPs

Both of these result in any client being allowed to turn on Glimpse on your site. That’s not good. It reveals too much info about your server. The code could be updated to also check the HTTP_X_FORWARDED_FOR header value but that would be pretty easy to fake in a non-loadbalanced environment.

Share this post:


My name is Jeff French. I'm a programmer, public speaker, technologist, husband, father and an all around geek. These are my musings on code, technology and life in general. Please enjoy. :)