[OBS-2643] Add Cloudflare IP Address support. - Observium

Details

Type: Improvement
Resolution: Fixed
Priority: Minor
Fix Version/s: None
Affects Version/s: Community Edition
Component/s: Security
Labels:
None
Environment:
PHP (FPM) 7.2.3, Ubuntu Linux 16.04.4

Description

Hey There,

I just wanted to suggest an improvement. I run a local instance on my server and noticed that when the subdomain I have my instance running on through the cloudflare reverse proxy, that the logged IP addresses show the reverse proxy rather than the user's actual address.

Could a small tweak be appended to the code to replace the `

$_SERVER["REMOTE_ADDR"]

to a null coalesce operator to support this?

$_SERVER["HTTP_CF_CONNECTING_IP"] ?? $_SERVER["REMOTE_ADDR"]

Regards,

Ely.

Attachments

Activity

[OBS-2643] Add Cloudflare IP Address support.

Mike Stupalov added a comment - 2018/08/27 03:12 PM

Fixed again in r9401.

Now this header is configuragle, see: Global settings -> Authentication -> Sessions

Mike Stupalov added a comment - 2018/08/27 03:12 PM Fixed again in r9401. Now this header is configuragle, see: Global settings -> Authentication -> Sessions

Mike Stupalov added a comment - 2018/08/27 09:20 AM

Incorrect change, produced security hole.
I will rewrite it now.

Mike Stupalov added a comment - 2018/08/27 09:20 AM Incorrect change, produced security hole. I will rewrite it now.

Mike Stupalov added a comment - 2018/08/26 06:29 PM

Fixed in r9398.

Mike Stupalov added a comment - 2018/08/26 06:29 PM Fixed in r9398.

Philipp Rehs added a comment - 2018/05/01 10:25 PM

Maybe you could add an whitelist of supported proxy ips (defined by the use) and only when it matches use the other headers to determine the users real ip

Philipp Rehs added a comment - 2018/05/01 10:25 PM Maybe you could add an whitelist of supported proxy ips (defined by the use) and only when it matches use the other headers to determine the users real ip

Mike Stupalov added a comment - 2018/04/03 09:32 AM

Will see tomorrow

Mike Stupalov added a comment - 2018/04/03 09:32 AM Will see tomorrow

Adam Armstrong added a comment - 2018/04/02 10:42 AM

perhaps landy would be interested in this :>

Adam Armstrong added a comment - 2018/04/02 10:42 AM perhaps landy would be interested in this :>

Stef Renders added a comment - 2018/04/01 11:00 PM

true that, please consider storing it (full path, not just last value) in a separate field then (as you already do with user agent)

the reverse proxy should in theory append the real ip he is seeing, so even if the user fakes its x-forwarded-for header, his ip would just get appended to that.

and maybe add a nice tooltip on the remote_addr in the auth log UI to see the forward header :>

Stef Renders added a comment - 2018/04/01 11:00 PM true that, please consider storing it (full path, not just last value) in a separate field then (as you already do with user agent) the reverse proxy should in theory append the real ip he is seeing, so even if the user fakes its x-forwarded-for header, his ip would just get appended to that. and maybe add a nice tooltip on the remote_addr in the auth log UI to see the forward header :>

Adam Armstrong added a comment - 2018/04/01 07:08 PM

This still seems a security issue to me, allowing a user to send a fake remote IP and having the server use it in preference to the real IP.

This is probably useful when you're doing user tracking for ad purposes, less useful when you're doing user tracking for auditing purposes. It's probably necessary to store all of the data, but at present we only really expect an IP. I'm not sure if we'd be able to store both pieces of data without modifications.

Adam Armstrong added a comment - 2018/04/01 07:08 PM This still seems a security issue to me, allowing a user to send a fake remote IP and having the server use it in preference to the real IP. This is probably useful when you're doing user tracking for ad purposes, less useful when you're doing user tracking for auditing purposes. It's probably necessary to store all of the data, but at present we only really expect an IP. I'm not sure if we'd be able to store both pieces of data without modifications.

Stef Renders added a comment - 2018/04/01 12:19 PM

basically they're accessing it from a reverse proxy, something we are going to do as well. In order to get the 'real client address', the reverse proxy will add a header to the http request called 'x-forwarded-for' meaning which client address he's requesting the page for. So the application will know which 'real' client is connecting. If you wouldn't do this, all auth log would say is that the user is connecting from the reverse proxy (rendering it useless).

https://stackoverflow.com/questions/11452938/how-to-use-http-x-forwarded-for-properly

Cloudflare seems to make up their non-standard http headers, which I would strongly recommend NOT to use. But they seem to also fallback on the standard x-forwarded-for

https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-

Though they may to seem to include the full path of reverse proxies, so you would have to parse the first value only for the real client address.

public function getClientIP(){
if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER))

{ return $_SERVER["HTTP_X_FORWARDED_FOR"]; // may need to parse first value only }

else if (array_key_exists('REMOTE_ADDR', $_SERVER))

{ return $_SERVER["REMOTE_ADDR"]; }

else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER))

{ return $_SERVER["HTTP_CLIENT_IP"]; }

return '';
}

Stef Renders added a comment - 2018/04/01 12:19 PM basically they're accessing it from a reverse proxy, something we are going to do as well. In order to get the 'real client address', the reverse proxy will add a header to the http request called 'x-forwarded-for' meaning which client address he's requesting the page for. So the application will know which 'real' client is connecting. If you wouldn't do this, all auth log would say is that the user is connecting from the reverse proxy (rendering it useless). https://stackoverflow.com/questions/11452938/how-to-use-http-x-forwarded-for-properly Cloudflare seems to make up their non-standard http headers, which I would strongly recommend NOT to use. But they seem to also fallback on the standard x-forwarded-for https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers- Though they may to seem to include the full path of reverse proxies, so you would have to parse the first value only for the real client address. public function getClientIP(){ if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { return $_SERVER["HTTP_X_FORWARDED_FOR"]; // may need to parse first value only } else if (array_key_exists('REMOTE_ADDR', $_SERVER)) { return $_SERVER["REMOTE_ADDR"]; } else if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) { return $_SERVER["HTTP_CLIENT_IP"]; } return ''; }

Adam Armstrong added a comment - 2018/03/31 11:31 PM

My point is that you've clearly put zero thought into any other users beyond your own use case.

I have no idea what cloudflare is or how it works, and i'm certainly not going to make security/logging changes because someone who thought it would be a good idea to use a null coalesce operator in actual real php code says it's a good idea.

Adam Armstrong added a comment - 2018/03/31 11:31 PM My point is that you've clearly put zero thought into any other users beyond your own use case. I have no idea what cloudflare is or how it works, and i'm certainly not going to make security/logging changes because someone who thought it would be a good idea to use a null coalesce operator in actual real php code says it's a good idea.

People

Assignee:: Mike Stupalov

Reporter:: Ely Haughie

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018/03/31 08:28 PM

Updated:: 2018/09/27 06:10 PM

Resolved:: 2018/08/27 03:12 PM