Item14380: New feature - Support for reversy proxies

This adds a configuration option to support reverse proxy configurations. If enabled, Foswiki will use the X-Forwarded-For header to determine the client IP Address. This is disabled by default.
foswiki · Nov 27, 2017 · e798eee · e798eee
1 parent d4a4ab6
commit e798eee
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 7 deletions.
diff --git a/ModPerlEngineContrib/data/System/ModPerlEngineContrib.txt b/ModPerlEngineContrib/data/System/ModPerlEngineContrib.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1493597080" format="1.1" version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1511808327" format="1.1" version="1"}%
 ---+!! !ModPerlEngineContrib
 <!--
 One line description, required for extensions repository catalog.
@@ -149,6 +149,7 @@ set in %USERSWEB%.SitePreferences, default taken from
 ---++ Info
 
 |  Change History: | <!-- versions below in reverse order -->&nbsp; |
+|  14 May 2017 (1.10) | Foswikitask:Item14380: Optionally recover client IP from =X-Forwarded-For= header. |
 |  30 Apr 2017 (1.05) | Foswikitask:Item14381: Preserver URL Encoding of the Foswiki URI. |
 |  26 Nov 2016 (1.04) | Released with Foswiki 2.1.3. Old Apache 1.x modules have been removed from the DEPENDENCIES file. |
 |  08 Apr 2016 (1.03) | Foswikitask:Item14022 Change foswiki.org links to https. |
@@ -171,7 +172,7 @@ set in %USERSWEB%.SitePreferences, default taken from
 
 %META:FORM{name="PackageForm"}%
 %META:FIELD{name="Author" title="Author" value="Foswiki:Main.GilmarSantosJr"}%
-%META:FIELD{name="Copyright" title="Copyright" value="&copy; 2009-2015 Gilmar Santos Jr and Foswiki Contributors"}%
+%META:FIELD{name="Copyright" title="Copyright" value="&copy; 2009-2017 Gilmar Santos Jr and Foswiki Contributors"}%
 %META:FIELD{name="Home" title="Home" value="https://foswiki.org/Extensions/%$ROOTMODULE%"}%
 %META:FIELD{name="License" title="License" value="[[http://www.gnu.org/licenses/gpl.html][GPL (Gnu General Public License)]]"}%
 %META:FIELD{name="Release" title="Release" value="%$RELEASE%"}%

diff --git a/ModPerlEngineContrib/lib/Foswiki/Contrib/ModPerlEngineContrib.pm b/ModPerlEngineContrib/lib/Foswiki/Contrib/ModPerlEngineContrib.pm
@@ -1,7 +1,7 @@
 # mod_perl Runtime Engine of Foswiki - The Free and Open Source Wiki,
 # http://foswiki.org/
 #
-# Copyright (C) 2009-2016 Gilmar Santos Jr, jgasjr@gmail.com and Foswiki
+# Copyright (C) 2009-2017 Gilmar Santos Jr, jgasjr@gmail.com and Foswiki
 # contributors. Foswiki contributors are listed in the AUTHORS file in the root
 # of Foswiki distribution.
 #
@@ -23,8 +23,8 @@ use strict;
 
 use vars qw( $VERSION $RELEASE $SHORTDESCRIPTION );
 
-$VERSION          = '1.06';
-$RELEASE          = '15 May 2017';
+$VERSION          = '1.07';
+$RELEASE          = '27 Nov 2017';
 $SHORTDESCRIPTION = 'Permits Foswiki to be executed under mod_perl';
 
 1;
diff --git a/ModPerlEngineContrib/lib/Foswiki/Engine/Apache.pm b/ModPerlEngineContrib/lib/Foswiki/Engine/Apache.pm
@@ -102,6 +102,14 @@ sub prepareConnection {
         ? $this->{r}->connection->remote_ip
         : $this->{r}->connection->client_ip
     );
+
+    if ( $Foswiki::cfg{PROXY}{UseForwardedForHeader}
+        && defined $ENV{HTTP_X_FORWARDED_FOR} )
+    {
+        my @addrs = split /,\s?/, $ENV{HTTP_X_FORWARDED_FOR};
+        $req->remoteAddress( $addrs[0] );
+    }
+
     if ( $INC{'Apache2/ModSSL.pm'} ) {
         $req->secure( $this->{r}->connection->is_https ? 1 : 0 );
     }

diff --git a/core/data/System/ReleaseNotes02x01.txt b/core/data/System/ReleaseNotes02x01.txt
@@ -1,4 +1,4 @@
-%META:TOPICINFO{author="ProjectContributor" date="1505759671" format="1.1"  version="1"}%
+%META:TOPICINFO{author="ProjectContributor" date="1511808327" format="1.1"  version="1"}%
 %META:TOPICPARENT{name="ReleaseHistory"}%
 ---+!! Foswiki Release 2.1.4
 
@@ -91,6 +91,17 @@ function correctly without this zone.   No changes are required unless you
 have replaced the =foswiki.tmpl= or =foswiki.pattern.tmpl= with a local
 version.
 
+---+++ Additional support for Proxy configurations.
+
+Foswiki has a new option under bin/configure -&gt; Security and Authentication -&gt; Proxies: ={PROXY}{UseForwardedForHeader}=.  Enable this setting
+if the Foswiki is accessed through a reverse proxy. Foswiki will the use the =X-Forwarded-For= header to determine the Client IP address.  This has several effects:
+   * Foswiki will log the real Client IP address instead of the address of the reverse proxy server.
+   * Session IP matching will use the real client IP when determining if the CGI Session is for the correct client.
+   * Plugins that perform security functions based upon the IP address will see the real client IP address.
+This setting should only be enabled if the majority of the clients access the server via the reverse proxy.  It is possible for clients to spoof the
+=X-Forwarded-For= header, so only enable this setting when appropriate to avoid client IP Address spoofing.
+
+
 ---++ Important changes in Foswiki 2.1.3
 
 ---+++ Security issues addressed in this release.

diff --git a/core/lib/Foswiki.spec b/core/lib/Foswiki.spec
@@ -1062,7 +1062,7 @@ $Foswiki::cfg{AccessibleENV} =
 $Foswiki::cfg{AccessibleHeaders} = ['Accept-Language', 'User-Agent'];
 
 #---++ Proxies
-# Some environments require outbound HTTP traffic to go through a proxy
+# Some environments require inbound or outbound HTTP traffic to go through a proxy
 # server (for example http://proxy.your.company).
 
 # **URL 30 LABEL="Proxy Host" CHECK='undefok emptyok parts:scheme,authority,path\
@@ -1075,6 +1075,17 @@ $Foswiki::cfg{AccessibleHeaders} = ['Accept-Language', 'User-Agent'];
 # http://username:password@proxy.your.company:8080.
 $Foswiki::cfg{PROXY}{HOST} = undef;
 
+# **BOOLEAN LABEL="Client IP" **
+# Foswiki normally uses the REMOTE_ADDRESS as the client IP.  If Foswiki is behind
+# a proxy, Foswiki will see the proxy's address as the Client IP.  Enable this switch if you
+# want foswiki to recover the real Client IP from the =X-Forwarded-For= header. 
+# *Caution:* This header is easily spoofed. Only enable this flag if you are certain that
+# you trust the Proxy server.
+# <p/>
+# Note that this setting also impacts CGI Session IP matching. Changing this setting
+# will break all active sessions behind the proxy and require re-authentication.
+$Foswiki::cfg{PROXY}{UseForwardedForHeader} = $FALSE;
+
 #---++ Anti-spam
 # Foswiki incorporates some simple anti-spam measures to protect
 # e-mail addresses and control the activities of benign robots, which

diff --git a/core/lib/Foswiki/Configure/Checkers/PROXY/UseForwardedForHeader.pm b/core/lib/Foswiki/Configure/Checkers/PROXY/UseForwardedForHeader.pm
@@ -0,0 +1,55 @@
+# See bottom of file for license and copyright information
+package Foswiki::Configure::Checkers::PROXY::UseForwardedForHeader;
+
+use strict;
+use warnings;
+
+use Foswiki::Configure::Checker ();
+our @ISA = ('Foswiki::Configure::Checker');
+
+sub check_current_value {
+    my ( $this, $reporter ) = @_;
+
+    if ( $ENV{HTTP_X_FORWARDED_FOR} ) {
+
+        if ( $Foswiki::cfg{PROXY}{UseForwardedForHeader} ) {
+            $reporter->NOTE("Real client IP is =$ENV{HTTP_X_FORWARDED_FOR}=.");
+        }
+        else {
+            $reporter->WARN(
+"Proxy detected, Enable this switch if Foswiki should use the =HTTP_X_FORWARDED_FOR= header to obtain the real client IP address."
+            );
+            $reporter->NOTE(
+"Remote Address is $ENV{REMOTE_ADDR}, Real client IP is =$ENV{HTTP_X_FORWARDED_FOR}=."
+            );
+        }
+    }
+
+}
+
+1;
+__END__
+Foswiki - The Free and Open Source Wiki, http://foswiki.org/
+
+Copyright (C) 2008-2017 Foswiki Contributors. Foswiki Contributors
+are listed in the AUTHORS file in the root of this distribution.
+NOTE: Please extend that file, not this notice.
+
+Additional copyrights apply to some or all of the code in this
+file as follows:
+
+Copyright (C) 2000-2006 TWiki Contributors. All Rights Reserved.
+TWiki Contributors are listed in the AUTHORS file in the root
+of this distribution. NOTE: Please extend that file, not this notice.
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version. For
+more details read LICENSE in the root of this distribution.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+As per the GPL, removal of this notice is prohibited.
diff --git a/core/lib/Foswiki/Contrib/core/MANIFEST b/core/lib/Foswiki/Contrib/core/MANIFEST
@@ -424,6 +424,7 @@ lib/Foswiki/Configure/Checkers/PATH.pm 0444
 lib/Foswiki/Configure/Checkers/PERL.pm 0444
 lib/Foswiki/Configure/Checkers/PLUGIN_MODULE.pm 0444
 lib/Foswiki/Configure/Checkers/PluginsOrder.pm 0444
+lib/Foswiki/Configure/Checkers/PROXY/UseForwardedForHeader.pm 0444
 lib/Foswiki/Configure/Checkers/REGEX.pm 0444
 lib/Foswiki/Configure/Checkers/Register/AllowLoginName.pm 0444
 lib/Foswiki/Configure/Checkers/Register/ExpireAfter.pm 0444

diff --git a/core/lib/Foswiki/Engine/CGI.pm b/core/lib/Foswiki/Engine/CGI.pm
@@ -106,6 +106,13 @@ sub prepareConnection {
     my ( $this, $req ) = @_;
 
     $req->remoteAddress( $ENV{REMOTE_ADDR} );
+    if ( $Foswiki::cfg{PROXY}{UseForwardedForHeader}
+        && defined $ENV{HTTP_X_FORWARDED_FOR} )
+    {
+        my @addrs = split /,\s?/, $ENV{HTTP_X_FORWARDED_FOR};
+        $req->remoteAddress( $addrs[0] );
+    }
+
     $req->method( $ENV{REQUEST_METHOD} );
 
     if ( $ENV{HTTPS} && uc( $ENV{HTTPS} ) eq 'ON' ) {