Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X-Forwarded-For and X-Real-IP Support #1536

Open
bianyukun1213 opened this issue Dec 6, 2023 · 2 comments
Open

X-Forwarded-For and X-Real-IP Support #1536

bianyukun1213 opened this issue Dec 6, 2023 · 2 comments

Comments

@bianyukun1213
Copy link

Currently I use my own domain and a nginx container to access Unraid webGui when I‘m not home because somehow Unraid Connect is not working in my case. LAN address is 192.168.31.72. However, once I (or someone) triggered Failed Login Restrictions, I cannot login anymore even after connecting to a different network to change my actual IP address. Because of the reverse proxy, $remote_addr is always set to 192.168.31.72 when I’m using my own domain to login. Can you add support for X-Forwarded-For and X-Real-IP so Unraid webGui can apply failed login restrictions correctly on the actual IP address instead of the LAN address 192.168.31.72?

@Leseratte10
Copy link
Contributor

Just in case this is missed - support for X-Forwarded-For and X-Real-IP should be disabled by default (so the admin explicitly has to enable them in the settings somewhere). If this is implemented and enabled by default it allows an attacker to easily circumvent IP bans by just sending these headers.

Ideally, there should also be an (additional) optional parameter to only allow / parse these HTTP headers coming from source IPs in a particular subnet - that way you can configure Unraid to only parse these headers when coming from your local reverse proxy and not when they're coming from elsewhere.

@Leseratte10
Copy link
Contributor

Leseratte10 commented Dec 30, 2023

Looks like the nginx binary in Unraid is compiled with the --with-http_realip_module option which should make this fairly easy to add. All that would be needed is some config page that adds entries like these to the nginx config:

set_real_ip_from  192.168.31.72/32;
set_real_ip_from  2001:db8:1234:5678::72/128;
real_ip_header    X-Forwarded-For;

I'm going to test these and see if that's enough to make that work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants