Item14380: backported UseForwardedHeaders

core/data/System/ReleaseNotes02x01.txt

@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1675684512" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1677500294" format="1.1" version="1"}%
 %META:TOPICPARENT{name="ReleaseHistory"}%
 ---+!! Release Notes 2.1.x
 
@@ -157,7 +157,7 @@ version.
 
 ---+++ Additional support for Proxy configurations.
 
-Foswiki has a new option under bin/configure -> Security and Authentication -> Proxies: ={PROXY}{UseForwardedForHeader}=.  Enable this setting
+Foswiki has a new option under bin/configure -> Security and Authentication -> Proxies: ={PROXY}{UseForwardedHeaders}=.  Enable this setting
 if the Foswiki is accessed through a reverse proxy. Foswiki will the use the =X-Forwarded-For= header to determine the Client IP address.  This has several effects:
    * Foswiki will log the real Client IP address instead of the address of the reverse proxy server.
    * Session IP matching will use the real client IP when determining if the CGI Session is for the correct client.

core/lib/Foswiki.spec

@@ -1167,33 +1167,16 @@ $Foswiki::cfg{AccessibleHeaders} = ['Accept-Language', 'User-Agent'];
 # http://username:password@proxy.your.company:8080.
 $Foswiki::cfg{PROXY}{HOST} = undef;
 
-# **BOOLEAN LABEL="Forwarded For" **
-# Use the =Forwarded-For*= header to determine the Client IP.
-# Foswiki normally uses the local server information for identifying the connection information.
-# However when a proxy server, load balancer, SSL Accelerator or other intermediate
-# devices are present, this connection information will most likely be incorrect.
-# Enable this setting to make use of the Proxy headers provided by the Client or intermediate devices:
-#    * =X-Forwarded-For= _Identifies the client IP, overrides REMOTE_ADDRESS variable._
-#    * =Forwarded For=...= _Identifies the client IP, overrides REMOTE_ADDRESS variable._
-# <p/>
-# *Caution:* These headers are easily spoofed. Only enable this flag if you are certain that
-# a proxy server exists and that you trust the Proxy server. 
-# *The proxy server should strip any spoofed =x-Forwarded-*= headers sent by the client.*
-# <p/>
-# Note that this setting also impacts Logging, and CGI Session IP matching. Changing this setting
-# will break all active sessions behind the proxy and require re-authentication.
-$Foswiki::cfg{PROXY}{UseForwardedFor} = $FALSE;
-
 # **BOOLEAN LABEL="Forwarded Headers" **
 # Use the =Forwarded-*= headers to determine the URL Protocol, Hostname and Port.
 # Foswiki normally uses the local server information for identifying the connection information.
 # A reverse proxy will hide the URL used by the client.
 # <p/>
 # Enable this setting to make use of the Proxy headers provided by the Client or intermediate devices:
+#    * =X-Forwarded-For= _Identifies the client IP, overrides REMOTE_ADDRESS variable._
 #    * =X-Forwarded-Host= _Captures the hostname used by the client in it's initial request._
 #    * =X-Forwarded-Proto= _Specifies if the client used an HTTP or HTTPS secure connection._
 #    * =X-Forwarded-Port= _Specifies the original port used by the client._
-#    * =Forwarded:= _New standards based header replaces the X-Forwarded* headers._
 # <p/>
 # *Caution:* These headers are easily spoofed. Only enable this flag if you are certain that
 # a proxy server exists and that you trust the Proxy server.  If all users are behind the same

core/lib/Foswiki/Configure/Checkers/PROXY/UseForwardedHeaders.pm

@@ -18,6 +18,20 @@ sub check_current_value {
 
         if ($proxy) {
 
+            if ( $Foswiki::cfg{PROXY}{UseForwardedHeaders} ) {
+                $reporter->WARN(
+"Be sure you trust the proxy server. Clients can use this header to spoof their IP addresses."
+                );
+            }
+            else {
+                $reporter->WARN(
+"Proxy detected, Enable this switch if Foswiki should use the =X-Forwarded-For= header to obtain the real client IP address."
+                );
+            }
+            $reporter->NOTE(
+"Remote Address is $ENV{REMOTE_ADDR}, Real client IP is =$client=."
+            );
+
             $reporter->NOTE(
 "Proxy server detected. Proxy URL is $protocol://$host:$port. Local server name is $ENV{HTTP_HOST}"
             );
@@ -55,7 +69,7 @@ sub check_current_value {
 __END__
 Foswiki - The Free and Open Source Wiki, http://foswiki.org/
 
-Copyright (C) 2008-2018 Foswiki Contributors. Foswiki Contributors
+Copyright (C) 2008-2023 Foswiki Contributors. Foswiki Contributors
 are listed in the AUTHORS file in the root of this distribution.
 NOTE: Please extend that file, not this notice.
 

core/lib/Foswiki/Engine.pm

@@ -563,11 +563,8 @@ sub _getConnectionData {
     $port = $port || $ENV{SERVER_PORT} || 80;
     $proxy = '';
 
-    if (   $detectProxy
-        || $Foswiki::cfg{PROXY}{UseForwardedFor}
-        || $Foswiki::cfg{PROXY}{UseForwardedHeaders} )
-    {
-        my $fwdClient;
+    if ( $detectProxy || $Foswiki::cfg{PROXY}{UseForwardedHeaders} ) {
+        my ( $fwdClient, $fwdProto, $fwdHost, $fwdPort, $hostport );
 
         if ( my $hdr = $ENV{HTTP_X_FORWARDED_FOR} ) {
             my $ip = ( split /\s?,\s?/, $hdr )[0];
@@ -579,11 +576,8 @@ sub _getConnectionData {
                 $proxy = 1;
             }
         }
-        $client = $fwdClient if $fwdClient;
-    }
 
-    if ( $detectProxy || $Foswiki::cfg{PROXY}{UseForwardedHeaders} ) {
-        my ( $fwdProto, $fwdHost, $fwdPort, $hostport );
+        $client = $fwdClient if $fwdClient;
         if ( my $hdr = $ENV{HTTP_X_FORWARDED_HOST} ) {
             my $first = ( split /\s?,\s?/, $hdr )[0];
             if ( defined $first ) {