New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show client’s real IP when connecting to OPNsense webgui via reverse proxy #4638
Comments
Hi @Greelan, Can you ping me again when 21.1 is out? This week is a little busy but as per forum discussion I promised to help out. :) Thanks, |
Very happy to. Just wasn't sure about protocol for requests such as this, but thought ultimately this was best on GH 😀 |
Hi @fichtner Here's that little nudge as requested, for when you finish catching up on sleep after the 21.1 marathon 😀 |
Happy to report that with lighttpd 1.4.59 now being brought into OPNsense 21.1.1, the second element noted in my original post is no longer required (I have tested to confirm). That is, One step closer... |
Thank you for taking care of it ❤️ |
No problem, happy to contribute. If I'm being honest, it does still feel a bit hacky. One day when/if I can teach myself PHP and Jinja I might attempt a more complete solution. 😀 I did notice that after re-applying the patches after an OPNsense update that the default files in the |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
When the OPNsense webgui is accessed through a reverse proxy, OPNsense logs the IP of the reverse proxy rather than the real IP of the client connecting to the reverse proxy. Therefore every logged access to the webgui appears from the same IP, even if different clients are connecting.
Describe the solution you like
I would like the webgui to log instead the real IP of the client connecting via the reverse proxy.
This can be achieved by implementing the
mod_extforward
module in lighttpd.Further details are set out in this forum discussion: https://forum.opnsense.org/index.php?topic=20882.0.
As noted in that discussion (see in particular replies 3 and 4), there are three elements:
mod_extforward
module needs to be enabled (and in the right order). This could be done by default, or optionally by the user clicking a checkbox if they are using a reverse proxy (which would then add the module to the module list inwebgui.inc
, for example by appending it to the$lighty_modules
variable, aftermod_accesslog
if that is enabled).extforward.headers
needs to be set, at least until a bugfix that has been recently implemented in the upstream makes it into OPNsense.extforward.forwarder
needs to be set to the trusted IP(s) of the reverse proxy. This will obviously differ from user to user, and so needs to be able to be set by the user. A data entry field in the webgui would enable this, or failing that at least an ability to manually configure a configuration file on the system.Describe alternatives you considered
None.
Additional context
See above link to forum discussion on this, including relevant code for
webgui.inc
.The text was updated successfully, but these errors were encountered: