Details
-
Type:
Improvement
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 5.10.0-b2
-
Fix Version/s: 5.12.0-b1
-
Component/s: None
-
Labels:None
Description
If under Settings > System > General, "My installation is behind a proxy or load balancer" is enabled, we look for and log the x-forwarded-for header instead, which should contain the original client IP.
However, if there are more than 1 proxy, x-forwarded-for headers are appended to include all the IPs of all the steps from client to server.
We should detect whether there are multiple IPs in x-forwarded-for if this setting is enabled, and if there are, parse them out and log only the 1st occurring IP address.. whether IPv4 or IPv6.
Here is the RFC https://datatracker.ietf.org/doc/html/rfc7239
Note that IPs may contain ports and other data, examples:
Forwarded: for="_gazonk"
Forwarded: For="[2001:db8:cafe::17]:4711"
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
Forwarded: for=192.0.2.43, for=198.51.100.17
Activity
Paul Phillips
created issue -
Paul Phillips
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Description |
If under Settings > System > General, "My installation is behind a proxy or load balancer" is enabled, we look for and log the x-forwarded-for header instead, which should contain the original client IP.
However, if there are more than 1 proxy, x-forwarded-for headers are appended to include all the IPs of all the steps from client to server. We should detect whether there are multiple IPs in x-forwarded-for if this setting is enabled, and if there are, parse them out and log only the 1st occurring IP address.. whether IPv4 or IPv6. |
If under Settings > System > General, "My installation is behind a proxy or load balancer" is enabled, we look for and log the x-forwarded-for header instead, which should contain the original client IP.
However, if there are more than 1 proxy, x-forwarded-for headers are appended to include all the IPs of all the steps from client to server. We should detect whether there are multiple IPs in x-forwarded-for if this setting is enabled, and if there are, parse them out and log only the 1st occurring IP address.. whether IPv4 or IPv6. Here is the RFC https://datatracker.ietf.org/doc/html/rfc7239 Note that IPs may contain ports and other data, examples: Forwarded: for="_gazonk" Forwarded: For="[2001:db8:cafe::17]:4711" Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for=192.0.2.43, for=198.51.100.17 |
| Rank | Ranked higher |
| Story Points | 3 |
| Sprint | 5.11.0 Sprint 5 [ 204 ] |
| Rank | Ranked higher |
Paul Phillips
made changes -
| Fix Version/s | 5.12.0-b1 [ 12000 ] | |
| Fix Version/s | 5.11.0-b1 [ 11908 ] |
Paul Phillips
made changes -
| Sprint | 5.11.0 Sprint 5 [ 204 ] |
Paul Phillips
made changes -
| Rank | Ranked higher |