Trusted proxies doesnt set in some cases

[LaurenceJJones]

Hey all thanks for all your hard work!

We have a log processor that detects malicious behaviors within logs https://www.crowdsec.net/ , we are upgrading the parser to support client_ip as that will be set if the user has a trusted proxy. However, we are hitting a slight issue, when the user is upgraded from http -> https they get a response 308 permanent upgrade, however, the log does not replace the client_ip correctly.

Here a log extract to show the trusted proxies and the subsequent logs:

[":80"],"routes":[{},{}],"logs":{"logger_names":{"*":"log0"}}},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"body":"Hello, world!","handler":"static_response"}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{},"trusted_proxies":{"ranges":["192.168.0.0/16","172.16.0.0/12","10.0.0.0/8","127.0.0.1/8","fd00::/8","::1"],"source":"static"},"logs":{"logger_names":{"*":"log0"}}}}}}
{"level":"info","ts":1693838953.3188682,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"47658","client_ip":"172.17.0.1","proto":"HTTP/1.0","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"X-Forwarded-Port":["80"],"User-Agent":["curl/7.74.0"],"Accept":["*/*"],"Forwarded":["for=\"[::1]\""],"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["http"],"Connection":["close"],"X-Real-Ip":["::1"],"X-Forwarded-Host":["localhost"]}},"bytes_read":0,"user_id":"","duration":0.000024273,"size":0,"status":308,"resp_headers":{"Location":["https://127.0.0.1/"],"Content-Type":[],"Server":["Caddy"],"Connection":["close"]}}
{"level":"info","ts":1693838953.655273,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"47668","client_ip":"172.17.0.1","proto":"HTTP/1.0","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"User-Agent":["curl/7.74.0"],"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["http"],"Forwarded":["for=\"[::1]\""],"X-Forwarded-Host":["localhost"],"X-Forwarded-Port":["80"],"Accept":["*/*"],"Connection":["close"],"X-Real-Ip":["::1"]}},"bytes_read":0,"user_id":"","duration":0.000020065,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://127.0.0.1/"],"Content-Type":[]}}
{"level":"info","ts":1693838953.9817054,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.17.0.1","remote_port":"47682","client_ip":"172.17.0.1","proto":"HTTP/1.0","method":"GET","host":"127.0.0.1:8080","uri":"/","headers":{"Forwarded":["for=\"[::1]\""],"X-Forwarded-Port":["80"],"Accept":["*/*"],"Connection":["close"],"X-Real-Ip":["::1"],"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["localhost"],"User-Agent":["curl/7.74.0"]}},"bytes_read":0,"user_id":"","duration":0.000019256,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://127.0.0.1/"],"Content-Type":[]}}

Shouldn't the client_ip always be set correctly even if the request was just a redirect? it means that our log processor could hit an issue if a user just ignores the redirects and keep spamming URL's.

Here is the example Caddyfile I was using with NGINX as the upstream proxy just for testing:

{
  debug
  servers {
    trusted_proxies static private_ranges
  }
}
* {
  respond "Hello, world!"
  log {
    output stdout
  }
}

Nginx config:

# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
  default upgrade;
  ""      close;
}
map $remote_addr $proxy_forwarded_elem {
  # IPv4 addresses can be sent as-is
  ~^[0-9.]+$        "for=$remote_addr";
  # IPv6 addresses need to be bracketed and quoted
  ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
  # Unix domain socket names cannot be represented in RFC 7239 syntax
  default           "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
  # If the incoming Forwarded header is syntactically valid, append to it
  "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
  # Otherwise, replace it
  default "$proxy_forwarded_elem";
}
location / {
  proxy_pass http://127.0.0.1:8080; ## Caddy server within docker
  proxy_set_header Upgrade           $http_upgrade;
  proxy_set_header Connection        $connection_upgrade;
  proxy_set_header X-Real-IP         $remote_addr;
  proxy_set_header Forwarded         $proxy_add_forwarded;
  proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Host  $host;
  proxy_set_header X-Forwarded-Port  $server_port;
}

Then we can just curl http://localhost we will get 308 redirect but the log wont set the IP correctly as it did come from upstream proxy.

[francislavoie]

See https://caddyserver.com/docs/caddyfile/options#name. servers only applies to servers that actually appear in the config, so it will not apply to the HTTP server used for redirects unless you have it explicitly appear in the config.

Also * doesn't make sense as a site address, I suggest you change that. See https://caddyserver.com/docs/caddyfile/concepts#addresses

[LaurenceJJones]

Yeah as said it purely just a demo environment to write the parsers. That fine, I will just divert anyone that has potential issues to the documentation (I dont use caddy as you can tell so im learning also)