On 6/24/2021 2:41 AM, Jeremy Laidman wrote:
Xymon's enadis CGI?gets the IP address from the webserver's REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server you're using, there may be zero or more ways to make this work.
For instance, there are Apache modules that can do this: mod_rpaf (reverse proxy add forward), mod_extract_forwarded and mod_remoteip <https://httpd.apache.org/docs/current/mod/mod_remoteip.html>(the latter seemingly the most common method, but also seems to be the most feature-full = complicated). Also, it's possible to use SetEnvIf to capture the IP address from the header and assign it to REMOTE_ADDR (although note that there can be multiple IP addresses in an X-Forwarded-For value if there are multiple proxies in a chain so you'd want to extract the first (left-most) IP to get the client IP).
Be warned that it's trivial for an attacker to create an X-Forwarded-For header, so your reverse proxies should strip this header if it exists, before adding their own. There may be other implications.
I adjusted the haproxy config to remove that header before it adds it with the source IP, which will hopefully stop people from doing that.
I installed the rpaf module into apache.? This is very interesting ... once I did that, suddenly my xymon-related config stopped working and I got "403 Forbidden" errors.? The various parts of the existing xymon apache config that only allow localhost were no longer allowing me to view the UI (apache mod_authz_core config), because they were now seeing the real source address.? But unfortunately, the xymon page still says "Disabled?by:?elyograg?@?127.0.0.1".? So I will look into the patch that Ren? provided.? Time to upgrade xymon anyway.
Thanks, Shawn