Incident: Parameter "USE_CUSTOM_REMOTE_IP_HEADER" not working

Date Seen
13.03.2018

Versions
Ubuntu 16.04.4 LTS
Apache 2.4.18
Z-Push 2.4.0
Kopano 8.6.80

Bug Description
Since updating to Z-Push 2.4.0 the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” is not working as expected. Z-Push is logging the the ip from the reverse proxy instead of the forwarded ip.

    // Use a custom header to determinate the remote IP of a client.
    // By default, the server provided REMOTE_ADDR is used. If the header here set
    // is available, the provided value will be used, else REMOTE_ADDR is maintained.
    // set to false to disable this behaviour.
    // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
    define('USE_CUSTOM_REMOTE_IP_HEADER', 'HTTP_X_FORWARDED_FOR');
Mar 13 13:55:22 server z-push/core[15150]: [WARN] [dfsd] IP: 192.168.2.1 failed to authenticate user 'dfsd'

Severity
Minor

Steps to Reproduce
Enable the parameter “USE_CUSTOM_REMOTE_IP_HEADER” with option “HTTP_X_FORWARDED_FOR” and the check the apache logs. This is only reproducable if the webserver is behind a reverse proxy.

Actual Behavior
The reverse proxy ip is logged.

Expected Behavior
The forwarded ip is logged.

Troubleshooting/Testing Steps Attempted
I’ve tried to change the parameter to several settings without success. The apache server is logging the correct ip. I’ve set up a testsite within apache and the real ip is displayed within the header “HTTP_X_FORWARDED_FOR”

Workaround
No workaround found yet.

Hi darootler,

apache_request_headers() function strips ‘HTTP_’ from the header name and replaces underscores with dashes. So in your case it should be X-FORWARDED-FOR.

Manfred

Thanks for the report. I have created a ticket for it https://jira.z-hub.io/browse/ZP-1373

Hi,

option “X-FORWARDED-FOR” is working as expected.

Thank you for creating the ticket and your help.

Regards
Richard