Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not Handling X-Forwarded-For from LBs #709

Open
beauhoyt opened this issue Nov 3, 2020 · 7 comments
Open

Not Handling X-Forwarded-For from LBs #709

beauhoyt opened this issue Nov 3, 2020 · 7 comments
Labels
suport / help wanted

Comments

@beauhoyt
Copy link

beauhoyt commented Nov 3, 2020

  • Problem: Getting CloudFlare LB IPs for the login IP instead of the actual IP. Seem to not be parsing X-Forwarded-For properly. I've tried doing it the way symfony doc stated (https://symfony.com/doc/current/deployment/proxies.html) to with TRUSTED_PROXIES by adding this to .env:
TRUSTED_PROXIES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
@beauhoyt
Copy link
Author

beauhoyt commented Nov 3, 2020

So it seems to be doing something when i added this to the .env

TRUSTED_PROXIES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22

because my login IP changed from 108.162.245.50 to 162.158.107.163 which is just another intermediate LB in the chain.
My guess is this is how its works:

Edge POP            Internal LB      Then it should be my IP
162.158.107.163 -> 108.162.245.50 -> x.x.x.x

The X-Forwarded-For Header should be looking something like this:

X-Forwarded-For: x.x.x.x,108.162.245.50,162.158.107.163

Based on this documentation: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-

@warlof
Copy link
Member

warlof commented Nov 15, 2020

Hi,

seems the easiest way for you is to add a dependency which has been built to handle cloudflare proxying headers : https://github.com/monicahq/laravel-cloudflare

it will maintain cloudflare published IP addresses used for proxying in a cache (that you can reload automatically, using your scheduler).

Since you are on docker, you can add monicahq/laravel-cloudflare to your plugins in .env file.
However, you'll have to alter the Kernel.php file on all your containers manually (and after each update).

That file will be located at /var/www/seat/app/Http/Kernel.php

@beauhoyt
Copy link
Author

Hmm - now im getting 172.16.0.0/12 address from docker's internal network
image

Is there another set of values i need to set for the middleware?

Do i just need to add 172.16.0.0/12 to TRUSTED_PROXIES?

@beauhoyt
Copy link
Author

beauhoyt commented Nov 17, 2020
edited
Loading

So i went in and modified the LogFormat to get the X-Forwarded-For and CF-Connecting-IP headers

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h \"%{X-Forwarded-For}i\" \"%{CF-Connecting-IP}i\" %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h \"%{X-Forwarded-For}i\" \"%{CF-Connecting-IP}i\" %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

And noticed the big problem of the X-Forwarded-For is that it's getting overwritten instead of appended to:

172.18.0.2 "172.68.86.114" "103.x.x.x" - - [16/Nov/2020:21:29:44 +0000] "GET /queue/short-status HTTP/1.1" 200 1114 "https://seat.42indy.com/configuration/schedule" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Edg/86.0.622.63"
172.18.0.2 "108.162.245.156" "104.x.x.x" - - [16/Nov/2020:21:29:48 +0000] "GET /queue/short-status HTTP/1.1" 401 1103 "https://seat.42indy.com/characters/2117476562/sheet" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
172.18.0.2 "172.68.86.114" "103.x.x.x" - - [16/Nov/2020:21:29:55 +0000] "GET /queue/short-status HTTP/1.1" 200 1118 "https://seat.42indy.com/configuration/schedule" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Edg/86.0.622.63"

So now I'm going to try and modify config/trustedproxy.php with (comes from here https://github.com/fideloper/TrustedProxy/wiki):

<?php

return [
   ...

    // These are defaults already set in the config:
    'headers' => [
        (defined('Illuminate\Http\Request::HEADER_FORWARDED') ? Illuminate\Http\Request::HEADER_FORWARDED : 'forwarded') => 'FORWARDED',
        \Illuminate\Http\Request::HEADER_CLIENT_IP    => 'X_FORWARDED_FOR',
        \Illuminate\Http\Request::HEADER_CLIENT_HOST  => 'X_FORWARDED_HOST',
        \Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
        \Illuminate\Http\Request::HEADER_CLIENT_PORT  => 'X_FORWARDED_PORT',
    ]
];

Though when i do this i get this fatal error (and still looking into it):

Fatal error: Uncaught RuntimeException: A facade root has not been set. in /var/www/seat/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php:258
Stack trace:
#0 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(425): Illuminate\Support\Facades\Facade::__callStatic('replaceNamespac...', Array)
#1 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(402): Illuminate\Foundation\Exceptions\Handler->registerErrorViewPaths()
#2 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(313): Illuminate\Foundation\Exceptions\Handler->renderHttpException(Object(Symfony\Component\HttpKernel\Exception\HttpException))
#3 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(210): Illuminate\Foundation\Exceptions\Handler->prepareResponse(Object(Illuminate\Http\Request), Object(Symfony\Component\HttpKernel\Exception\HttpException))
#4 /var/www/seat/app/Exceptions/Handler.php(55): Illumi in /var/www/seat/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php on line 258

My goal is to replace the above associative array with this change:

 \Illuminate\Http\Request::HEADER_CLIENT_IP    => 'CF-Connecting-IP',

So i can get the correct IP.

@AstralDestiny
Copy link

So for me I'm having Traefik Rewrite X-Real-IP (Originally would show 172.23.0.1 for connections), with X-Forward-IP or CF-Connecting-IP as long as it doesn't match X will replace, which shows the real ip of the connecting user from the cloudflare LB's,
All other programs I have behind Traefik are fine but has issues when it comes to seat.
It still shows 172.23.0.1 every other service however work fine and show the external connecting ip from CF LB's.
I can probably write the instructions if anyone was curious but every other container works totally fine but as soon as I try it with seat, seat refuses and just shows all logins as 172.23.0.1

@warlof
Copy link
Member

warlof commented Dec 12, 2020

which application are you using ?

SeAT is not doing anything with reverse except standard Laravel stuff :/

@beauhoyt
Copy link
Author

@AstralDestiny I personal think it's Traefik messing with the X-Forward-IP header completely overwriting the comma delimiter IPs instead of appending to the list. Hence why I was trying to force Laravel (aka., Symfony) to use CF-Connecting-IP header but with no luck. :(

@goemktg goemktg mentioned this issue Feb 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
suport / help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@beauhoyt @warlof @AstralDestiny