Show client’s real IP when connecting to OPNsense webgui via reverse proxy

[Greelan]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I have searched the existing issues and I am convinced that mine is new.

Is your feature request related to a problem? Please describe.

When the OPNsense webgui is accessed through a reverse proxy, OPNsense logs the IP of the reverse proxy rather than the real IP of the client connecting to the reverse proxy. Therefore every logged access to the webgui appears from the same IP, even if different clients are connecting.

Describe the solution you like

I would like the webgui to log instead the real IP of the client connecting via the reverse proxy.

This can be achieved by implementing the mod_extforward module in lighttpd.

Further details are set out in this forum discussion: https://forum.opnsense.org/index.php?topic=20882.0.

As noted in that discussion (see in particular replies 3 and 4), there are three elements:

• First the mod_extforward module needs to be enabled (and in the right order). This could be done by default, or optionally by the user clicking a checkbox if they are using a reverse proxy (which would then add the module to the module list in webgui.inc, for example by appending it to the $lighty_modules variable, after mod_accesslog if that is enabled).
• Second, extforward.headers needs to be set, at least until a bugfix that has been recently implemented in the upstream makes it into OPNsense.
• Finally, extforward.forwarder needs to be set to the trusted IP(s) of the reverse proxy. This will obviously differ from user to user, and so needs to be able to be set by the user. A data entry field in the webgui would enable this, or failing that at least an ability to manually configure a configuration file on the system.

Describe alternatives you considered

None.

Additional context

See above link to forum discussion on this, including relevant code for webgui.inc.

[fichtner]

Hi @Greelan,

Can you ping me again when 21.1 is out? This week is a little busy but as per forum discussion I promised to help out. :)

Thanks,
Franco

[Greelan]

Very happy to. Just wasn't sure about protocol for requests such as this, but thought ultimately this was best on GH 😀

[Greelan]

Hi @fichtner

Here's that little nudge as requested, for when you finish catching up on sleep after the 21.1 marathon 😀

[Greelan]

Happy to report that with lighttpd 1.4.59 now being brought into OPNsense 21.1.1, the second element noted in my original post is no longer required (I have tested to confirm). That is, extforward.headers does not need to be explicitly set if the default is all that is needed (which is to search the X-Forwarded-For and Forwarded-For headers).

One step closer...

[Greelan]

Closing as this has now been implemented (at least by a drop-in directory option, if not GUI option) by #4837 and #4845.

[fichtner]

Thank you for taking care of it ❤️

[Greelan]

No problem, happy to contribute. If I'm being honest, it does still feel a bit hacky. One day when/if I can teach myself PHP and Jinja I might attempt a more complete solution. 😀

I did notice that after re-applying the patches after an OPNsense update that the default files in the conf.d directory (eg the README) seem to be appended - so that, for example, on the most recent occasion the files on my system had the content repeated three times. Is that normal behaviour? I would have expected that the files on my system would just be overwritten to reflect what is on GitHub (with maybe a .orig backup made of any existing files).