show X-Forwarded-For ip header on rainloop auth logs behind haproxy

[enriluis]

**RainLoop version1.12.1, browser Mozilla Firefox 65.0.2 , OS:Windows 10 on client side, on the server Ubuntu Linux working fine, behind haproxy

Expected behavior and actual behavior:
i want to tell ha proxy showme the, now it show the haproxy ip not the X-Forwarded-For header.
i want make some how to block more of 3 or 5 failled logins
LogFormat "%{X-Forwarded-For}i %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined

but rainlop auths logs are show to me the haproxy ip

Steps to reproduce the problem:

Logs or screenshots:
apche log showing real ip client:
200.55.xxx.xxx - - [15/Mar/2019:15:17:44 -0500] "GET /?/Ajax/&q[]=/_ouGQQPoG93XHTEm_pVHseebg_ZeUUNY73NmR7SwR7AOtPXCOA-8lJ0imL_AJN8mugLM5tlwKcrISWtii1fZkDvo7bLFmA7i1gyoMeOk5vTh-VoAj26wsE18oINZKpo0XMdmNPhbRuNBI5MEtv1Gghu37Ihu6hKHLzt1byKwrHubvjsDOsOu3gdb5K15AM6ZyLZnt7XfU_gatuSx-FY9gdB3Uk28Nhaq__s6VFcr2XNxTZ_9pwy6ZS386KQ7BgGRrB5MZzD44ZN2yON3b__PvKLkwYSYUpKsEPOIFrjIaFI_KMj8SdqIVOrQd-f5qaa2spTihV7o0xVgXGc5D/MessageList/&q[]=/SU5CT1gAMAAyMAAANDA2YTQxMzVhYjJkODBlY2FhZGIwZDU0NjE5OWE3YTQAZWJkM2MxOWQ4ODJmYTIzNjYyMDI2N2MzYzE3MmM2ZmQANTE0OTUAMAA HTTP/1.1" 200 34383 "https://webmail.domain/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"

rainloop log showing haproxy ip:
[20:18:33.651][7d2b2611] INFO[DATA]: [DATE:15.03.19][OFFSET:-00][RL:1.12.1][PHP:7.2.15-0ubuntu0.18.04.1][172.20.20.13][PID:13079][Apache/2.4.29 (Ubuntu)][apache2handler]
[20:18:33.651][7d2b2611] INFO[DATA]: [Suhosin:off][APC:off][MB:on][PDO:mysql][Streams:tcp,udp,unix,udg,ssl,tls,tlsv1.0,tlsv1.1,tlsv1.2]
[20:18:33.651][7d2b2611] REQUEST[NOTE]: [POST] https://webmail.domain/?/Ajax/&q[]=/0/
[20:18:33.651][7d2b2611] AJAX[NOTE]: Action: DoLogin
[20:18:33.651][7d2b2611] POST[DATA]: {"Email":"swd","Login":"","Password":"*******","Language":"","AdditionalCode":"","AdditionalCodeSignMe":"0","SignMe":"0","Action":"Login","XToken":"9364dabc0438d16fd4a85b0530b9c599"}
[20:18:33.651][7d2b2611] LOGIN[DATA]: The email address "swd" is not complete
[20:18:34.652][7d2b2611] INFO[NOTICE]: RainLoop\Exceptions\ClientException: InvalidInputArgument[903] in /var/www/mailweb/rainloop/v/1.12.1/app/libraries/RainLoop/Actions.php:2232

[12nick12]

Is this in the works?

[khimaros]

this would make fail2ban more useful when rainloop is behind a reverse proxy, eg. nginx

[khimaros]

it looks like this is at least partly implemented as a "lab" feature with http_client_ip_check_proxy:

rainloop-webmail/rainloop/v/0.0.0/app/libraries/RainLoop/Actions.php

Line 493 in 5e409ac

if (false !== \strpos($sLine, '{request:ip}'))

rainloop-webmail/rainloop/v/0.0.0/app/libraries/MailSo/Base/Http.php

Line 358 in f5b92b8

public function GetClientIp($bCheckProxy = false)

i will experiment with this setting in the afternoon.

[khimaros]

actually, i just verified that this works. you will need to set labs.http_client_ip_check_proxy = On in your rainloop application.ini and ensure that your reverse proxy is setting either of the X-Forwarded-For or Client-Ip headers correctly.