Incident: Parameter "USE_CUSTOM_REMOTE_IP_HEADER" not working



  • Date Seen
    13.03.2018

    Versions
    Ubuntu 16.04.4 LTS
    Apache 2.4.18
    Z-Push 2.4.0
    Kopano 8.6.80

    Bug Description
    Since updating to Z-Push 2.4.0 the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” is not working as expected. Z-Push is logging the the ip from the reverse proxy instead of the forwarded ip.

        // Use a custom header to determinate the remote IP of a client.
        // By default, the server provided REMOTE_ADDR is used. If the header here set
        // is available, the provided value will be used, else REMOTE_ADDR is maintained.
        // set to false to disable this behaviour.
        // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
        define('USE_CUSTOM_REMOTE_IP_HEADER', 'HTTP_X_FORWARDED_FOR');
    
    Mar 13 13:55:22 server z-push/core[15150]: [WARN] [dfsd] IP: 192.168.2.1 failed to authenticate user 'dfsd'
    

    Severity
    Minor

    Steps to Reproduce
    Enable the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” and the check the apache logs. This is only reproducable if the webserver is behind a reverse proxy.

    Actual Behavior
    The reverse proxy ip is logged.

    Expected Behavior
    The forwarded ip is logged.

    Troubleshooting/Testing Steps Attempted
    I’ve tried to change the parameter to several settings without success. The apache server is logging the correct ip. I’ve set up a testsite within apache and the real ip is displayed within the header “HTTP_X_FORWARDED_FOR”

    Workaround
    No workaround found yet.


  • Kopano

    Hi darootler,

    apache_request_headers() function strips ‘HTTP_’ from the header name and replaces underscores with dashes. So in your case it should be X-FORWARDED-FOR.

    Manfred


  • Kopano

    Thanks for the report. I have created a ticket for it https://jira.z-hub.io/browse/ZP-1373



  • Hi,

    option “X-FORWARDED-FOR” is working as expected.

    Thank you for creating the ticket and your help.

    Regards
    Richard



  • Hi,

    i am using the following versions and i am not able to get the “real” ip:

    Ubuntu Ubuntu 18.04.1 LTS
    Apache 2.4.29
    Z-Push 2.4.4
    Kopano 8.6.81

    Regards
    Richard


  • Kopano

    Hi Richard,

    a little bit more context here would be helpful. In your post 7 months ago you wrote that X-FORWARDED-FOR is working as expected.

    What has changed since? What is the value of USE_CUSTOM_REMOTE_IP_HEADER in Z-Push config? Is there DEBUG log level entry like:

    Using custom header 'HTTP_X_FORWARDED_FOR' to determine remote IP ...
    

    Manfred



  • Hi Manfred,

    i tried the “X-FORWARDED-FOR” and “HTTP_X_FORWARDED_FOR” for “USE_CUSTOM_REMOTE_IP_HEADER”. I installed Z-Push on a new system, so all components changed. The logs are always filled with the private reverse proxy ip.

    Regards
    Richard



  • Hi,

    the value “X_FORWARDED_FOR” is working as expected. Is this wanted? Didn’t match the description:

    // Use a custom header to determinate the remote IP of a client.
    // By default, the server provided REMOTE_ADDR is used. If the header here set
    // is available, the provided value will be used, else REMOTE_ADDR is maintained.
    // set to false to disable this behaviour.
    // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
    

    Regards
    Richard


  • Kopano

    This post is deleted!

  • Kopano

    Hi Richard,

    @darootler said in Incident: Parameter "USE_CUSTOM_REMOTE_IP_HEADER" not working:

    Hi,

    the value “X_FORWARDED_FOR” is working as expected. Is this wanted? Didn’t match the description:

    // Use a custom header to determinate the remote IP of a client.
    // By default, the server provided REMOTE_ADDR is used. If the header here set
    // is available, the provided value will be used, else REMOTE_ADDR is maintained.
    // set to false to disable this behaviour.
    // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
    

    Regards
    Richard

    The description says “common values”, but it doesn’t mean that only these values are possible. It also depends if you’re using modphp or php-fpm, which webserver etc. Therefore USE_CUSTOM_REMOTE_IP_HEADER is configurable so that it can be changed to match one’s needs.

    X_FORWARDED_FOR is also a common header: https://en.wikipedia.org/wiki/X-Forwarded-For

    Manfred



  • Okay, thank you for your help.

    Regards
    Richard