Login failed log the IP of the Docker Network Gateway

[GuillaumeHullin]

Description

When using Caddy as reverse proxy for Paperless, a failed login would log the IP of the Docker network gateway instead of the IP of the client.

I use fail2ban for security installed on the host.

If I access Paperless via HTTP on port 8000, the IP of the failing client is logged correctly.

Steps to reproduce

Here is my Caddy reverse proxy config:

https://paperless.office.domain.com:443 {
    reverse_proxy paperless.office.domain.com:8000
    tls /etc/caddy/letsencrypt.fullchain /etc/caddy/letsencrypt.key
    @denied not remote_ip private_ranges
    abort @denied

Accessing Paperless via https://paperless.office.domain.com work without issue... excluding that in case of failed login the IP logged is the Docker network gateway.

I tried different combination of Caddy setting

        header_up X-Real-IP {remote}
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-For {remote}
        header_up Host {host}
        header_up X-Forwarded-Host {host}

and adding some env variable to Paperless

PAPERLESS_USE_X_FORWARD_HOST=true
PAPERLESS_PROXY_SSL_HEADER='["HTTP_X_FORWARDED_PROTO", "https"]'

....but I don't get anywhere

For your info my Fail2Ban conf is

# /etc/fail2ban/filter.d/paperless.conf
[Definition]
failregex = Login failed for user `.*` from (?:IP|private IP) `<HOST>\.`$
ignoreregex =

#/etc/fail2ban/jail.d/00_docker-paperless.local
[paperless]
enabled = true
filter = paperless
logpath  = /srv/paperless/docker-data/data/log/paperless.log # Need to be adjusted for your Docker setup
chain = DOCKER-USER
maxretry = 5
bantime = 1h
port = 8000

Webserver logs

[2023-05-10 20:03:23,874] [INFO] [paperless.auth] Login failed for user `sdf` from private IP `10.6.53.1.`
[2023-05-10 20:04:03,693] [INFO] [paperless.auth] Login failed for user `sdfasd` from private IP `10.6.53.1.`

### Browser logs

_No response_

### Paperless-ngx version

1.14.4

### Host OS

Debian

### Installation method

Docker - official image

### Browser

_No response_

### Configuration changes

PAPERLESS_URL and PAPERLESS_SECRET_KEY are set correctly

### Other

_No response_

[stumpylog]

I don't see any mention of setting PAPERLESS_TRUSTED_PROXIES to at least filter out the proxy portion. More information here

You can see the precedence ordering the library used for getting the client ip here. HTTP_X_FORWARDED_FOR is the first one looked at.

[stumpylog]

If anything, this looks like an ipware bug. I just tested with my own proxy, which does send X-Forwarded-For and X-Real-Ip, but it still appears to be coming from my Traefik container. Both headers are in the request, so the library should be utilizing it.

I use https://github.com/traefik/whoami to look at what headers actually reach a client

[GuillaumeHullin]

Nice. Thanks for the tips.
I can see that my headers should be correct.

I agree with you, it seems that it's a bug.
Also I read that django-ipware is being replaced by python-ipware (un33k/django-ipware#76).

[stumpylog]

Interesting, that's a pretty hidden deprecation. I'll look at swapping when I can

[stumpylog]

I've switched over to the newer library, which appears to work. If you can test, the image is tagged as docker pull ghcr.io/paperless-ngx/paperless-ngx:feature-pr-3382. It's currently roughly v1.14, but it's probably best to test in an isolated way

[GuillaumeHullin]

I tested in my dev server and it works.
Note that I restored my basic reverse proxy settings (for Caddy), no extra header_up and in Paperless env variable I only have PAPERLESS_URL and PAPERLESS_SECRET_KEY` set.

There is one more test to do (which I can only do later), is for public IP address. I'm not planning to expose Paperless to Internet... but it's just to see if the new library correctly see the IP.

Side question, would it be useful if I prepare a PR for setting up Fail2Ban? My setup is to have Fail2Ban installed on the Docker host.

[stumpylog]

You mean some documentation and/or a config file for it? Sure, go for it

[GuillaumeHullin]

Alright, it successfully logged my public IP when exposing Paperless to Internet.
I'll make a PR this weekend to add the setup of Fail2Ban to the documentation.
Thanks for your help.

[github-actions[bot]]

This discussion has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion for related concerns.