Incident: Parameter "USE_CUSTOM_REMOTE_IP_HEADER" not working

Date Seen
13.03.2018

Versions
Ubuntu 16.04.4 LTS
Apache 2.4.18
Z-Push 2.4.0
Kopano 8.6.80

Bug Description
Since updating to Z-Push 2.4.0 the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” is not working as expected. Z-Push is logging the the ip from the reverse proxy instead of the forwarded ip.

    // Use a custom header to determinate the remote IP of a client.
    // By default, the server provided REMOTE_ADDR is used. If the header here set
    // is available, the provided value will be used, else REMOTE_ADDR is maintained.
    // set to false to disable this behaviour.
    // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
    define('USE_CUSTOM_REMOTE_IP_HEADER', 'HTTP_X_FORWARDED_FOR');
Mar 13 13:55:22 server z-push/core[15150]: [WARN] [dfsd] IP: 192.168.2.1 failed to authenticate user 'dfsd'

Severity
Minor

Steps to Reproduce
Enable the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” and the check the apache logs. This is only reproducable if the webserver is behind a reverse proxy.

Actual Behavior
The reverse proxy ip is logged.

Expected Behavior
The forwarded ip is logged.

Troubleshooting/Testing Steps Attempted
I’ve tried to change the parameter to several settings without success. The apache server is logging the correct ip. I’ve set up a testsite within apache and the real ip is displayed within the header “HTTP_X_FORWARDED_FOR”

Workaround
No workaround found yet.

Hi darootler,

apache_request_headers() function strips ‘HTTP_’ from the header name and replaces underscores with dashes. So in your case it should be X-FORWARDED-FOR.

Manfred

Thanks for the report. I have created a ticket for it https://jira.z-hub.io/browse/ZP-1373

Hi,

option “X-FORWARDED-FOR” is working as expected.

Thank you for creating the ticket and your help.

Regards
Richard

Hi,

i am using the following versions and i am not able to get the “real” ip:

Ubuntu Ubuntu 18.04.1 LTS
Apache 2.4.29
Z-Push 2.4.4
Kopano 8.6.81

Regards
Richard

Hi Richard,

a little bit more context here would be helpful. In your post 7 months ago you wrote that X-FORWARDED-FOR is working as expected.

What has changed since? What is the value of USE_CUSTOM_REMOTE_IP_HEADER in Z-Push config? Is there DEBUG log level entry like:

Using custom header 'HTTP_X_FORWARDED_FOR' to determine remote IP ...

Manfred

Hi Manfred,

i tried the “X-FORWARDED-FOR” and “HTTP_X_FORWARDED_FOR” for “USE_CUSTOM_REMOTE_IP_HEADER”. I installed Z-Push on a new system, so all components changed. The logs are always filled with the private reverse proxy ip.

Regards
Richard

Hi,

the value “X_FORWARDED_FOR” is working as expected. Is this wanted? Didn’t match the description:

// Use a custom header to determinate the remote IP of a client.
// By default, the server provided REMOTE_ADDR is used. If the header here set
// is available, the provided value will be used, else REMOTE_ADDR is maintained.
// set to false to disable this behaviour.
// common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)

Regards
Richard

This post is deleted!

Hi Richard,

@darootler said in Incident: Parameter "USE_CUSTOM_REMOTE_IP_HEADER" not working:

Hi,

the value “X_FORWARDED_FOR” is working as expected. Is this wanted? Didn’t match the description:

// Use a custom header to determinate the remote IP of a client.
// By default, the server provided REMOTE_ADDR is used. If the header here set
// is available, the provided value will be used, else REMOTE_ADDR is maintained.
// set to false to disable this behaviour.
// common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)

Regards
Richard

The description says “common values”, but it doesn’t mean that only these values are possible. It also depends if you’re using modphp or php-fpm, which webserver etc. Therefore USE_CUSTOM_REMOTE_IP_HEADER is configurable so that it can be changed to match one’s needs.

X_FORWARDED_FOR is also a common header: https://en.wikipedia.org/wiki/X-Forwarded-For

Manfred

Okay, thank you for your help.

Regards
Richard