Ubuntu 16.04.4 LTS
Since updating to Z-Push 2.4.0 the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” is not working as expected. Z-Push is logging the the ip from the reverse proxy instead of the forwarded ip.
// Use a custom header to determinate the remote IP of a client. // By default, the server provided REMOTE_ADDR is used. If the header here set // is available, the provided value will be used, else REMOTE_ADDR is maintained. // set to false to disable this behaviour. // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored) define('USE_CUSTOM_REMOTE_IP_HEADER', 'HTTP_X_FORWARDED_FOR');
Mar 13 13:55:22 server z-push/core: [WARN] [dfsd] IP: 192.168.2.1 failed to authenticate user 'dfsd'
Steps to Reproduce
Enable the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” and the check the apache logs. This is only reproducable if the webserver is behind a reverse proxy.
The reverse proxy ip is logged.
The forwarded ip is logged.
Troubleshooting/Testing Steps Attempted
I’ve tried to change the parameter to several settings without success. The apache server is logging the correct ip. I’ve set up a testsite within apache and the real ip is displayed within the header “HTTP_X_FORWARDED_FOR”
No workaround found yet.