[CORE-2349] Add support for the x-forwarded-for header for load balanced environments - Blesta

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0.0-b5
Fix Version/s: 4.5.0-b1
Component/s: Staff Interface
Labels:
None

Description

Blesta logs the IP addresses for user logins, sends new order IP addresses to Maxmind (if enabled in the order plugin) for fraud checks, and uses IP addresses for various GeoIP features.

When Blesta is used under a load balanced environment, $_SERVER['REMOTE_ADDR']; will report the load balancer's IP address and not that of the client. This creates a problem in that Blesta is unaware of the clients actual IP address. (By client, I'm referring to the browser client. This affects both Clients and Staff within Blesta)

If the x-forwarded-for header exists, which is or can be set by a load balancer, we should use this instead everywhere we utilize the client's IP address. See https://www.chriswiegman.com/2014/05/getting-correct-ip-address-php/ for more information on getting the right IP address in such a situation.

Issue Links

blocks

CORE-2913 Order: Allow IPs from the x-forwarded-for header

Closed

CORE-2914 PHPIDS: Allow IPs from the x-forwarded-for header

Closed

CORE-2915 Shared Login: Allow IPs from the x-forwarded-for header

Closed

Activity

Ascending order - Click to sort in descending order

Paul Phillips created issue - 27/Feb/17 7:04 PM

Hide

Permalink

Tyson Phillips (Inactive) added a comment - 01/Sep/17 1:31 PM

This depends on the user's environment, but since the x-forwarded-for header can be easily spoofed, it should only be checked if explicitly set to be checked by an admin with knowledge of the proxy. So we can continue to check the remote address header for the IP address, and use the x-forwarded-for IP address in place of it if configured to do so. And also fallback to the remote address if the x-forwaded-for address is not available or unknown.

Show

Tyson Phillips (Inactive) added a comment - 01/Sep/17 1:31 PM This depends on the user's environment, but since the x-forwarded-for header can be easily spoofed, it should only be checked if explicitly set to be checked by an admin with knowledge of the proxy. So we can continue to check the remote address header for the IP address, and use the x-forwarded-for IP address in place of it if configured to do so. And also fallback to the remote address if the x-forwaded-for address is not available or unknown.

Hide

Permalink

Paul Phillips added a comment - 01/Sep/17 1:51 PM

How about a system setting under Settings > System > General > Basic Setup that says something like:

[x] My installation is behind a load balancer

? Tooltip "If checked, Blesta will look for an x-forwarded-for header when evaluating IP addresses for logging, GeoIP, fraud detection, and other purposes."

Show

Paul Phillips added a comment - 01/Sep/17 1:51 PM How about a system setting under Settings > System > General > Basic Setup that says something like: [x] My installation is behind a load balancer ? Tooltip "If checked, Blesta will look for an x-forwarded-for header when evaluating IP addresses for logging, GeoIP, fraud detection, and other purposes."

Hide

Permalink

Tyson Phillips (Inactive) added a comment - 01/Sep/17 6:41 PM

Something like that could work, but the language may need to be updated. Is there no other reason to use the x-forwaded-for header other than when behind a load balancer?

Show

Tyson Phillips (Inactive) added a comment - 01/Sep/17 6:41 PM Something like that could work, but the language may need to be updated. Is there no other reason to use the x-forwaded-for header other than when behind a load balancer?

Hide

Permalink

Paul Phillips added a comment - 01/Sep/17 6:46 PM

HTTP Proxy or load balancer, so perhaps we should list those 2. Load balancer will be the most common, and it is technically an HTTP Proxy. I got this from https://en.wikipedia.org/wiki/X-Forwarded-For while looking to see if there are any other reasons an x-forwarded-for header would be passed through.. proxy & load balancer pretty much sum it up.

Show

Paul Phillips added a comment - 01/Sep/17 6:46 PM HTTP Proxy or load balancer, so perhaps we should list those 2. Load balancer will be the most common, and it is technically an HTTP Proxy. I got this from https://en.wikipedia.org/wiki/X-Forwarded-For while looking to see if there are any other reasons an x-forwarded-for header would be passed through.. proxy & load balancer pretty much sum it up.

Tyson Phillips (Inactive) made changes - 06/Jul/18 4:55 PM

Field	Original Value	New Value
Story Points		3

Tyson Phillips (Inactive) made changes - 18/Jul/18 7:42 PM

Sprint

4.5.0 Sprint 1 [ 66 ]

Tyson Phillips (Inactive) made changes - 18/Jul/18 7:42 PM

Rank

Ranked higher

Tyson Phillips (Inactive) made changes - 19/Jul/18 2:56 PM

Sprint

4.5.0 Sprint 1 [ 66 ]

4.5.0 Sprint 2 [ 67 ]

Tyson Phillips (Inactive) made changes - 19/Jul/18 2:56 PM

Rank

Ranked lower

Automated transition triggered when Tyson Phillips (Inactive) created a branch in Stash - 08/Nov/18 3:42 PM

Status

Open [ 1 ]

In Progress [ 3 ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 3:42 PM

Assignee

Tyson Phillips [ tyson ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 3:42 PM

Fix Version/s

4.5.0-b1 [ 11108 ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 3:43 PM

Fix Version/s

Short Term [ 10800 ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 3:43 PM

Security

Private [ 10000 ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 5:36 PM

Link

This issue blocks ~~CORE-2913~~ [ ~~CORE-2913~~ ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 6:37 PM

Link

This issue blocks ~~CORE-2914~~ [ ~~CORE-2914~~ ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 6:41 PM

Link

This issue blocks ~~CORE-2915~~ [ ~~CORE-2915~~ ]

Automated transition triggered when Tyson Phillips (Inactive) created pull request #575 in Stash - 08/Nov/18 7:14 PM

Status	In Progress [ 3 ]	In Review [ 5 ]
Resolution		Fixed [ 1 ]

Tyson Phillips (Inactive) made changes - 08/Nov/18 7:15 PM

Remaining Estimate		0 minutes [ 0 ]
Time Spent		3 hours, 28 minutes [ 12480 ]
Worklog Id	11670 [ 11670 ]

Jonathan Reissmueller made changes - 09/Nov/18 12:00 PM

Time Spent	3 hours, 28 minutes [ 12480 ]	3 hours, 49 minutes [ 13740 ]
Worklog Id	11672 [ 11672 ]

Automated transition triggered when Tyson Phillips (Inactive) merged pull request #575 in Stash - 09/Nov/18 12:40 PM

Status

In Review [ 5 ]

Closed [ 6 ]

People

Assignee:

Tyson Phillips (Inactive)

Reporter:

Paul Phillips

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

27/Feb/17 7:04 PM

Updated:

09/Nov/18 12:40 PM

Resolved:

08/Nov/18 7:14 PM

Fix Release Date:

31/Jan/19

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

3h 49m

Agile

Completed Sprint:

4.5.0 Sprint 2 ended 15/Nov/18
View on Board