Get real client IP address behind the reverse proxy

[amiart]

I'm using the nginx server as a reverse proxy for Qt TreeFrog as described on this page:

https://www.treefrogframework.org/en/user-guide/cooperation-with-the-reverse-proxy-server/

The problem is that in this case the TActionController::clientAddress() and TWebSocketEndpoint::peerAddress() functions return the proxy address instead of the client's IP address.

In nginx, you can add an X-Forwarded-For header containing the client's IP address:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

but unfortunately Qt TreeFrog does not have functionality similar to that of mod_remoteip Apache server:

https://httpd.apache.org/docs/current/es/mod/mod_remoteip.html

Would it be possible to add an option in the TreeFrog configuration to define the name of the HTTP header containing the client's original IP address (RemoteIPHeader) and the list of trusted proxy (RemoteIPTrustedProxy) ? The TActionController::clientAddress() function would return the client's IP address instead of the proxy IP address if the proxy is trusted.

Thanks.

[amiart]

Currently, when using nginx as a reverse proxy, the access.log file contains the proxy IP address instead of the client IP and it is not known who actually sent the request.

[amiart]

It would be nice if it were possible to define several trusted proxies, e.g. separating them with a comma.

Here is a similar module for nginx:
http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from

[treefrogframework]

Good point!
Implemented in 953cdcf.
@amiart Could you try it?

Edit application.ini:
AccessLog.EnableXForwardedForHeader=true

[amiart]

Hi,
I appreciate your effort, but I expected something different. I would like to get the client real IP address in the controller using the clientAddress() function, because I want to check the IP when the user is logging in.

Therefore, it should be possible to set in the application.ini file the following parameters:

RemoteIP.Header=X-Forwarded-For
RemoteIP.TrustedProxy=192.168.1.10, 192.168.1.11

If the request comes from the IP address listed in TrustedProxy and contains a header such as Header, then the clientAddress() function should return the address from this header instead of the proxy IP address.

This will also solve the problem of wrong IP address in the access.log.

Thanks,

[treefrogframework]

Indeed. So implemented originatingClientAddress() function in 3711ee6.
Edit application.ini to work the funciton.
EnableForwardedForHeader=true

I don't think the TrustedProxy parameter is needed, because AP servers are on private network and the proxy servers are trusted usually.

If cared, limit access of clients by the ListenAddress parameter.

[amiart]

You cannot trust completely the X-Forwarded-For header,
because it can be modified by the client.
That's why the TrustedProxy parameter is needed.

So would like to add the following parameters in application.ini:

RealIP.Header=X-Forwarded-For    # could be X-Forwarded-For or X-Real-IP
RealIP.TrustedProxy=219.45.53.21, 64.74.18.20
RealIP.Recursive=false

This is the same as:

set_real_ip_from  219.45.53.21;
set_real_ip_from  64.74.18.20;
real_ip_header    X-Forwarded-For;
real_ip_recursive off;

for nginx: https://nginx.org/en/docs/http/ngx_http_realip_module.html

Here is an example implementation (may contain errors - did't compiled it):

QVector<QHostAddress> realIpTrustedProxyList()
{
    const QStringList RealIpTrustedProxy = Tf::appSettings()->value(Tf::RealIpTrustedProxy, "").toString().split(QChar(','));
    QVector<QHostAddress> trustedProxyList;
    for (int i=0; i<RealIpTrustedProxy.size(); ++i) {
        QHostAddress proxyAddr(RealIpTrustedProxy.at(i).trimmed());
        if (proxyAddr.protocol() != QAbstractSocket::UnknownNetworkLayerProtocol) {
            trustedProxyList.append(proxyAddr);
        } else {
            tSystemError("Invalid proxy address: %s", qPrintable(RealIpTrustedProxy.at(i)));
        }
    }
    return trustedProxyList;
}

QHostAddress THttpRequest::realClientAddress() const
{
    static const QByteArray RealIpHeader = Tf::appSettings()->value(Tf::RealIpHeader, "").toByteArray();
    static const QVector<QHostAddress> RealIpTrustedProxy = realIpTrustedProxyList();
    static const bool RealIpRecursive = Tf::appSettings()->value(Tf::RealIpRecursive, false).toString();

    QHostAddress clientAddr = clientAddress();
    if (!RealIpHeader.isEmpty() && !RealIpTrustedProxy.isEmpty()) {
        const QString header = QString::fromLatin1(header().rawHeader(RealIpHeader));
        if (!header.isEmpty()) {
            QStringList headerAddresses = header.split(QChar(','));
            if (RealIpRecursive) {
                while (headerAddresses.size() > 0) {
                    QHostAddress addr(headerAddresses.takeLast().trimmed());
                    if (addr.protocol() != QAbstractSocket::UnknownNetworkLayerProtocol && RealIpTrustedProxy.contains(clientAddr)) {
                        clientAddr = addr;
                    } else {
                        break;
                    }
                }
            } else {
                if (headerAddresses.size() > 0) {
                    QHostAddress addr(headerAddresses.takeLast().trimmed());
                    if (addr.protocol() != QAbstractSocket::UnknownNetworkLayerProtocol && RealIpTrustedProxy.contains(clientAddr)) {
                        clientAddr = addr;
                    }
                }
            }
        }
    }
    return clientAddr;
}

Note that the IP addresses in the X-Forwarded-For header should be processed from right to left.

The above code does not take in account the case when AP and reverse proxy use the UNIX domain socket.

[treefrogframework]

That's true.
Commited in f3b0cca.
Applid the right-most IP address in the X-Forwarded-For header except trusted proxy servers.

Edit application.ini and set EnableForwardedForHeader=true and TrustedProxyServers= parameter.

For example, can add the following to nginx.conf:
proxy_set_header X-Forwarded-For "$remote_addr, $host";

Can set the following in scondary proxy if the request passed through two or more proxy servers.
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for, $host";

[amiart]

Sorry but the X-Forwarded-For header according to standard should not contain the IP address of the last proxy, and the $host variable cannot be trusted because it is a "Host" request header field.

The correct nginx configuration is:

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

If the client connects via a single proxy, only the client's IP address will be in the header and clientAddress() is the proxy IP.

Maybe can I create a pull request ?

[treefrogframework]

The standard is RFC7239?
https://tools.ietf.org/html/rfc7239

It should contain the IP address of all proxies, not the last one.

[amiart]

Maybe it's true for the Forwarded header, but not for X-Forwarded-For:
https://en.wikipedia.org/wiki/X-Forwarded-For
https://systemoverlord.com/2020/03/25/security-101-x-forwarded-for-vs-forwarded-vs-proxy.html

[treefrogframework]

Solved by the following setting?
proxy_set_header X-Forwarded-For "$remote_addr"
or
proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for, $remote_addr"

The Forwarded header will be implementd in the future.

[treefrogframework]

Committed in c03c95c

[amiart]

Fixed in #296