Add support for Forwarded-For and Real-IP headers in HTTP inputs #22872
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add hashcode/equals to resolvable inet socket address wrapper, comparing them in tests add RawMessageHandler test fix subnet trusted proxy code (yay tests)
kroepke
changed the title
bernd
requested changes
Jun 19, 2025
Member
bernd
left a comment
bernd
left a comment
There was a problem hiding this comment.
I noticed two issues during testing that need to be addressed before I can continue testing and review.
graylog2-server/src/main/java/org/graylog2/inputs/transports/netty/HttpForwardedForHandler.java
Outdated
Show resolved
Hide resolved
graylog2-server/src/main/java/org/graylog2/inputs/transports/netty/HttpForwardedForHandler.java
Outdated
Show resolved
Hide resolved
…ke it clear FullHttpMessage objects need to be retained, because they contain the body as well (the reason we switched the type) guard against invalid ip literals and log a warning in case we cannot parse the ip address debug log if we don't know any relaying proxy
…roxies don't include themselves in the forwarded-for list
bernd
approved these changes
Jun 25, 2025
Member
bernd
left a comment
bernd
left a comment
There was a problem hiding this comment.
Thanks! I tested this change with different setting configurations.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
/prd https://github.com/Graylog2/graylog-plugin-enterprise/pull/11072
Description
This change adds a netty channel handler that extracts the original IP from various headers if configured appropriately.
The default settings behave as before, users can enable handling
X-Forwarded-For/Forwardedheaders, optionally enforcing all proxy IPs to be in thetrusted_proxiessetting, as well as taking the client's IP from aX-Real-IP(or similar style) header.When checking against
trust_proxiesGraylog will also consider the remote address of the HTTP socket to be a proxy and check its address. Some proxies do not include themselves, e.g. traefik does this, so Graylog considers the remote side to be a proxy in this case as well.Motivation and Context
If Graylog runs behind a load balancer or proxy and the codec or processing doesn't explicitly set the message
source, Graylog will use the remote address of the HTTP network connection, which ends up being the proxy's address, not the client's IP.This change allows overriding the IP, based on standard headers, or de-facto industry conventions.
How Has This Been Tested?
Added unit tests.
Types of changes
Checklist:
Fixes #22837