X-Forwarded-SourcePort (or similar) needed

[mrambossek]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

i posted this on the forum as well: https://community.traefik.io/t/x-forwarded-sourceport-or-similar/15608

tl;dr: i need a way of forwarding info about the source TCP port of the http request to a server behind a http router via an http header, for example, X-Forwarded-SourcePort.

a good chunk of the internet these days is behind CGN (Carrier Grade NAT), meaning that the IP traefik sees, is not directly traceable to the actual client. what that means is that if you have an abuse case - maybe someone hacked your outdated wordpress? - to be able to do anything at all, you have to provide the ISP with a) a timestamp b) the (real) source IP and crucially c) the source TCP port of the request, because the way CGN typically works is that it assigns "blocks of ports" to a subscriber, and then uses ports out of that block until it is depleted, and only these blocks are logged, not individual connections.

ie subscriber A's CPE has the WAN IP 100.123.123.123, at 12:00:00 gets assigned ports range 10500-10600, and the offending HTTP request uses port 10527 out of that block - this is logged in the ISPs CGN database.

for the ISP to be able to trace this to an actual customer, they need all 3 pieces of information.
in bare nginx, you can use $remote_port in your logging definition to get the desired effect; but as far as i can see, there is no way to communicate it through X- headers .. so far?

i am not a developer, more like a scripting sysadmin, so i'm definitely not the best person to try and implement this. from looking at the source, i would guess that it should go around here somewhere:
pkg/middlewares/forwardedheaders/forwarded_header.go#L113

i would further guess that this is not a HUGE deal technically, more from a design/"how should we do this properly" decision perspective :)

any help would be greatly appreciated,
thanks & regards

[rtribotte]

Hello @mrambossek,

Thanks for your interest in Traefik!

We are unsure whether to fully understand the request.
There is already the X-Forwarded-Port header that is added by Traefik, see this page of our documentation, is it what you are looking for?

[mrambossek]

Hi Romain :)

my understand was that X-Forwarded-Port (XFP) identifies the TCP Destination Port of the Request; that is, it informs the server behind the proxy, that a client is connecting to that port on the proxy; so that would usually be 80, 443, or something else but "static".

what i am looking for is the (usually random as in per-request, and >1024) source port that the client used to make the request.

although now that i am trying to google for authorative information on that, i cannot find any good URLs. all i can find is config snippets for nginx where people map that variable .. in a way that would suggest its always the destination port....

right now im not even sure whether XFP is a "defined", or just a "de-facto" standard. either way, i am assuming traefik's decision to implement it was much easier because it was already "in public use", whereas for my purpose i cannot find ANYTHING at all...

[mpl]

Hello,

Just to make sure we're on the same page: on your backend (wordpress) you'd like to have the information about the port of the initial incoming request (the one from the client/attacker to traefik), so that you can log it there? One of the reasons being that you want to be able to report to the ISP of the attacker the [IP, port, timestamp], so they can trace it back to the original attacker IP?

If yes, here's our recommendations:

1. Couldn't you get the information directly from traefik's accesslogs? There should be a ClientPort field there, as indicated on the table at
   https://doc.traefik.io/traefik/observability/access-logs/

2. If not, as this could be achieved in a plugin middleware, that's the way we encourage people to go when it is possible. It gives them more freedom to do it the way they want it to, and it results in less maintenance effort from us.

You should be able to get the source port from the RemoteAddr field of the request:
https://pkg.go.dev/net/http#Request

To help you get started, we recommend having a look at the https://github.com/traefik/plugindemo repository.

[mrambossek]

Hello,

Just to make sure we're on the same page: on your backend (wordpress) you'd like to have the information about the port of the initial incoming request (the one from the client/attacker to traefik), so that you can log it there? One of the reasons being that you want to be able to report to the ISP of the attacker the [IP, port, timestamp], so they can trace it back to the original attacker IP?

yes; although that might not be limited to logging (although 99% of it is). its just weird to me that the backend can have access to "everything else" via the X-Forwarded- Headers; but not the source port, which is crucial for "WAN issues" these days.

to give a perspective - i work for a small ISP and we have roughly 8k DSL access lines online, the majority of which is behind CGN. approx. once a week we get abuse mails regarding one of those lines - many of which are automated botnet reports or similar - and most of the time, especially for the manually reported ones, these requests do not include the source port of the client, therefore we have to politely tell people that we cannot help them - including law enforcement.

for some reason, "the server part of the internet" missed the reality of ipv4 shortage and adoption of CGN over the last years and thus the "new" requirement of logging source ports.

If yes, here's our recommendations:

1. Couldn't you get the information directly from traefik's accesslogs? There should be a ClientPort field there, as indicated on the table at
   https://doc.traefik.io/traefik/observability/access-logs/

yes, probably, but that poses a permission issue in some cases where a dev team might be running services behind a larger setup with traefik in front and thus cannot get access to those central logs. so, works for some cases, but not all.

2. If not, as this could be achieved in a plugin middleware, that's the way we encourage people to go when it is possible. It gives them more freedom to do it the way they want it to, and it results in less maintenance effort from us.
   You should be able to get the source port from the RemoteAddr field of the request: https://pkg.go.dev/net/http#Request
   To help you get started, we recommend having a look at the https://github.com/traefik/plugindemo repository.

ok, that is unfortunately beyond my capabilities :)

however, from further digging in documentation, i found that the PROXY protocol might be carrying this information, and, at least in the case of the backend being nginx which supports that, it might be possible to handle it that way - at least in my specific use case. i will keep digging but this ticket can be closed if there is no interest from the traefik side to implement a "generic" solution.