You are here: Foswiki>Tasks Web>Item14380 (06 Aug 2023, MichaelDaum)Edit Attach

Item14380: Foswiki should have option to use X-Forwarded-For to determine Client IP in reverse proxy configuration.

pencil
Priority: Normal
Current State: Closed
Released In: 2.1.8
Target Release: patch
Applies To: Engine
Component: FoswikiEngine
Branches: master Item14288 Item14380 Item14537 Release02x01
Reported By: GeorgeClark
Waiting For:
Last Change By: MichaelDaum
In proxy configurations, the Foswiki events log will only contain the proxy server's IP address, anonymizing the clients.

The X-Forwarded-For header will often contain the real client IP in a proxy configuration.

See Wikipedia:X-Forwarded-For

-- GeorgeClark - 19 Apr 2017

Implemented as a new Proxies option: {PROXY}{UseForwardedForHeader}

-- Main.GeorgeClark - 14 May 2017 - 18:26

See also Item14544

-- GeorgeClark - 27 Nov 2017

Re-opening this to work on for 2.1.5. Since the code already processes the Forwarding headers - incorrectly - this really is a bugfix. It needs to support: X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Port and X-Forwarded-Proto which may be present.

-- GeorgeClark - 27 Nov 2017

This feature is waiting for a release since when? Will backport it to 2.1.8 due to its importance. By the way the feature currently is implemented using two boolean flags - UseForwardedFor and UseForwardedHeaders - other than documented. The above UseForwardedForHeader is gone. Basically we only need one of the three: UseForwardedHeaders. This will activate scanning for X-Fowarded-* headers.

I've updated the priority of this task from "enhancement" to "normal" as Foswiki cannot be used behind a reverse proxy properly, i.e. when https is being used on the outside and http between the reverse proxy and the backend. Deploying Foswiki using Docker we have:

browser <-[https]-> reverse proxy <-[http]-> nginx <-[fcgi]-> foswiki backends

In words:

  • all browser talk https hitting the reverse proxy
  • the rev proxy uses plain http talking to the backend such as a docker image
  • inside the docker image we have another nginx
  • which itself uses fcgi to talk to foswiki

This only works with proper X-Forwarded-* headers in place, something like;

  location / {
    proxy_pass         http://127.0.0.1;
    proxy_redirect     off;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-Host $server_name;
    proxy_set_header   X-Forwarded-Proto https;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
  }

Foswiki will need to parse those headers. It otherwise generates a mixed content html page ... which isn't processed for security reasons.

-- MichaelDaum - 24 Feb 2023
 

ItemTemplate edit

Summary Foswiki should have option to use X-Forwarded-For to determine Client IP in reverse proxy configuration.
ReportedBy GeorgeClark
Codebase trunk
SVN Range
AppliesTo Engine
Component FoswikiEngine
Priority Normal
CurrentState Closed
WaitingFor
Checkins distro:f2c7a432febc distro:e798eeee6a51 distro:3745b3212142 distro:63db4fab5461 distro:eee54fa73ba4 distro:707f7756e64f distro:7e556d4ff95f distro:837a46899c63 distro:f1622a656391 distro:67c62e9b4a78 distro:f368a3607375 distro:3659382a9554 distro:15b795a9c5f3 distro:795a8f82f3ee distro:f2f3655119e4 distro:7f4104c81b80 distro:c807b44529b4 distro:19c83ae7bed8 distro:0c79bbc3995f distro:8ed2d750ff6a distro:5394de116a4a distro:4da8f80931d6 distro:087626c7cdac
TargetRelease patch
ReleasedIn 2.1.8
CheckinsOnBranches master Item14288 Item14380 Item14537 Release02x01
trunkCheckins
masterCheckins distro:f2c7a432febc distro:e798eeee6a51 distro:3745b3212142 distro:63db4fab5461 distro:eee54fa73ba4 distro:707f7756e64f distro:7e556d4ff95f distro:837a46899c63 distro:f1622a656391 distro:67c62e9b4a78 distro:f368a3607375 distro:3659382a9554 distro:795a8f82f3ee distro:f2f3655119e4 distro:c807b44529b4 distro:8ed2d750ff6a distro:4da8f80931d6
ItemBranchCheckins distro:f2c7a432febc distro:e798eeee6a51 distro:3745b3212142 distro:63db4fab5461 distro:eee54fa73ba4 distro:707f7756e64f distro:7e556d4ff95f distro:837a46899c63 distro:f1622a656391 distro:67c62e9b4a78 distro:f368a3607375 distro:3659382a9554
Release02x01Checkins distro:15b795a9c5f3 distro:7f4104c81b80 distro:19c83ae7bed8 distro:0c79bbc3995f distro:5394de116a4a distro:087626c7cdac
Release02x00Checkins
Release01x01Checkins
Topic revision: r23 - 06 Aug 2023, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy