Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-Forwarded-For header #2762

Closed
sorano opened this issue May 21, 2021 · 6 comments
Closed

X-Forwarded-For header #2762

sorano opened this issue May 21, 2021 · 6 comments

Comments

@sorano
Copy link

sorano commented May 21, 2021

Describe the feature you'd like
It would be nice to support the X-Forwarded-For header

Describe the benefits this feature would bring to BookStack users
When hosting bookstack behind a reverse proxy any login will show the IP from the reverse proxy instead of the IP of originating user. For trackability and identification it would be nice to see the real IP.

Additional context
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
@sorano
Copy link
Author

sorano commented May 21, 2021

Laravel supports this already:
https://laravel.com/docs/8.x/requests#configuring-trusted-proxies

@ssddanbrown
Copy link
Member

Thanks for the suggestion @sorano,
Can you confirm where you're seeing the IP address within BookStack?

@sorano
Copy link
Author

sorano commented May 22, 2021

Well, I havent actually been looking "within" bookstack. The apache vhost configuration has:

    ErrorLog error.log
    CustomLog access.log combined

So I'm looking at access.log and seeing log entries like these:

172.25.0.124 - - [22/May/2021:14:43:20 +0200] "GET /login HTTP/1.1" 200 3136 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"

Where 172.25.0.124 is the IP of the reverse proxy. However I guess logging within the application would be needed to show the real IP since apache access would be processed before.

@ssddanbrown
Copy link
Member

@sorano I don't think we'd have any control over what apache is logging in that regard.

You'll likely need to alter the LogFormat like so:
https://docs.rightscale.com/faq/How_can_I_log_the_source_client_IP_of_an_app_request_on_my_backend_Apache_application_server.html

Or maybe attempt using mod_remoteip?

@ssddanbrown
Copy link
Member

Will therefore close this off. If you're sure that BookStack determines any IP address you see then feel free to comment with any evidence and I'll reopen this.

@Cave-Johnson Cave-Johnson mentioned this issue Oct 10, 2021
Closed
@tipuraneo
Copy link

I faced the same issue: Reverse Proxy IPs where shown in the apache and bookstack audit logs. Solved it with the apache module remoteip. Now real client ips appear in apache and audit logs.

Enable module:

a2enmod remoteip

Add config
/etc/apache2/apache2.conf

# Header config
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy [IPs or CIDR subnets]

Restart Apache

apache2ctl configtest
apache2ctl restart

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sorano @tipuraneo @ssddanbrown