New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Wrong IP logged with several internal proxies or internal network IPs #5726
Comments
Quick answer already: you need to make sure that both your proxy addresses are in the list of trusted proxies |
Sure. I tested without setting TRUSTED_PROXY env var, or with setting it to "10.0.0.0/8 192.168.0.0/16" for example I have other pods in the same cluster that log the user IP (going through the same 2 reverse proxies), after switching (inside their docker image) from RemoteIPTrustedProxy to RemoteIPInternalProxy (wordpress, for example, see docker-library/wordpress#830) |
I am confused by RemoteIPInternalProxy vs. RemoteIPTrustedProxy even after re-reading the definition (in English) several times. Additional explanations (and tests?) welcome |
Here is how I understood the documentation: let's consider the following test-case (simpler than mine above, with a single reverse-proxy):
If FreshRSS used With the current configuration of FreshRSS (using The difference between the 2 directives is about the client IP, not about the reverse-proxy IP. |
even when the proxy's IP is given in the list of What is the use-case of |
The IPs you give on the line The choice between |
You can check this behavior by injecting a phpinfo.php file inside the docker container (for example in /var/www/FreshRSS/p/ directory), call this phpinfo.php from a browser on local network, and see the value of REMOTE_ADDR. I've tested that with FreshRSS, too. With standard 1.22, the docker logs display the IP of the reverse proxy (10.x) |
I don't know why Apache provides these 2 different directives, with this subtle difference. |
You are welcome to send a PR. |
After digging in the history of remoteip, I found that this distinction has been introduced in this commit: https://svn.apache.org/viewvc?view=revision&revision=756323 . See the changes here: https://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/mod_remoteip.c?r1=756323&r2=755437&pathrev=756323&diff_format=h So both RemoteIPTrustedProxy and RemoteIPInternalProxy directives have been introduced at the same time, in 2009. Here is my understanding of the developer intention:
|
instead of RemoteIPTrustedProxy directive To allow internal IPs to be trusted: for internal clients, and also for the case of chained internal reverse-proxies Fixes FreshRSS#5726
Thanks for the archaeology efforts, @mossroy 👍🏻 Let's go for |
* Use RemoteIPInternalProxy directive of remoteip Apache module instead of RemoteIPTrustedProxy directive To allow internal IPs to be trusted: for internal clients, and also for the case of chained internal reverse-proxies Fixes #5726 * One last reference forgotten --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Describe the bug
With #5549 and v1.22, reverse-proxies are trusted by default (if on internal network).
But, if you have at least 2 chained proxies on internal network, it does not work (wrong IP is logged).
It seems to me that RemoteIPInternalProxy directive should be used instead of RemoteIPTrustedProxy. See https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The logged IP should be the one of the real user
Environment information (please complete the following information):
Additional context
It's probable that the same issue occurs if you use a single reverse proxy, and call it from an internal network (but I did not check)
See the explanation of RemoteIPInternalProxy directive here: https://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
It says that remote internal IPs are not trusted with this directive. In my steps to reproduce, the IP of the first reverse-proxy is an internal one, so it's not trusted.
It's probable that replacing RemoteIPTrustedProxy directive by RemoteIPInternalProxy (in Apache conf, and in the entrypoint that can modify it) would solve the issue
I can do a PR if necessary
The text was updated successfully, but these errors were encountered: