Use X-Forwarded-For header for client IP?
I have all my websites behind a reverse proxy.? For those who might be interested, it's haproxy.? I'm using it because it handles all the TLS and can be easily configured to handle DDOS attacks.
Is it difficult to get xymon to use the X-Forwarded-For header?? Did some googline and came up empty.? I have some disabled tests, and this is what it says:
Disabled?by:?elyograg?@?127.0.0.1
I would like to see the real IP address there.? I've got Xymon 4.3.28 installed from source.
Thanks, Shawn
Hi Shawn
Xymon's enadis CGI gets the IP address from the webserver's REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server you're using, there may be zero or more ways to make this work.
For instance, there are Apache modules that can do this: mod_rpaf (reverse proxy add forward), mod_extract_forwarded and mod_remoteip <https://httpd.apache.org/docs/current/mod/mod_remoteip.html>(the latter seemingly the most common method, but also seems to be the most feature-full = complicated). Also, it's possible to use SetEnvIf to capture the IP address from the header and assign it to REMOTE_ADDR (although note that there can be multiple IP addresses in an X-Forwarded-For value if there are multiple proxies in a chain so you'd want to extract the first (left-most) IP to get the client IP).
Be warned that it's trivial for an attacker to create an X-Forwarded-For header, so your reverse proxies should strip this header if it exists, before adding their own. There may be other implications.
Cheers Jeremy
On Wed, 23 Jun 2021 at 13:27, Shawn Heisey <hobbit at elyograg.org> wrote:
I have all my websites behind a reverse proxy. For those who might be interested, it's haproxy. I'm using it because it handles all the TLS and can be easily configured to handle DDOS attacks.
Is it difficult to get xymon to use the X-Forwarded-For header? Did some googline and came up empty. I have some disabled tests, and this is what it says:
Disabled by: elyograg @ 127.0.0.1
I would like to see the real IP address there. I've got Xymon 4.3.28 installed from source.
Thanks, Shawn
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Hi,
You can also use this patch.
Cheers,
Ren?
Op donderdag 24-06-2021 om 18:41 uur [tijdzone +1000], schreef Jeremy Laidman:
Hi Shawn
Xymon's enadis CGI gets the IP address from the webserver's REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server you're using, there may be zero or more ways to make this work.
For instance, there are Apache modules that can do this: mod_rpaf (reverse proxy add forward), mod_extract_forwarded and mod_remoteip (the latter seemingly the most common method, but also seems to be the most feature-full = complicated). Also, it's possible to use SetEnvIf to capture the IP address from the header and assign it to REMOTE_ADDR (although note that there can be multiple IP addresses in an X-Forwarded-For value if there are multiple proxies in a chain so you'd want to extract the first (left-most) IP to get the client IP).
Be warned that it's trivial for an attacker to create an X-Forwarded-For header, so your reverse proxies should strip this header if it exists, before adding their own. There may be other implications.
Cheers Jeremy
On Wed, 23 Jun 2021 at 13:27, Shawn Heisey <hobbit at elyograg.org> wrote:
I have all my websites behind a reverse proxy. For those who might be interested, it's haproxy. I'm using it because it handles all the TLS and can be easily configured to handle DDOS attacks. Is it difficult to get xymon to use the X-Forwarded-For header? Did some googline and came up empty. I have some disabled tests, and this is what it says: Disabled by: elyograg @ 127.0.0.1 I would like to see the real IP address there. I've got Xymon 4.3.28 installed from source. Thanks, Shawn _______________________________________________ Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
This message has been scanned for viruses with ClamAV at vermare.net
On 6/24/2021 2:41 AM, Jeremy Laidman wrote:
Xymon's enadis CGI?gets the IP address from the webserver's REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server you're using, there may be zero or more ways to make this work.
For instance, there are Apache modules that can do this: mod_rpaf (reverse proxy add forward), mod_extract_forwarded and mod_remoteip <https://httpd.apache.org/docs/current/mod/mod_remoteip.html>(the latter seemingly the most common method, but also seems to be the most feature-full = complicated). Also, it's possible to use SetEnvIf to capture the IP address from the header and assign it to REMOTE_ADDR (although note that there can be multiple IP addresses in an X-Forwarded-For value if there are multiple proxies in a chain so you'd want to extract the first (left-most) IP to get the client IP).
Be warned that it's trivial for an attacker to create an X-Forwarded-For header, so your reverse proxies should strip this header if it exists, before adding their own. There may be other implications.
I adjusted the haproxy config to remove that header before it adds it with the source IP, which will hopefully stop people from doing that.
I installed the rpaf module into apache.? This is very interesting ... once I did that, suddenly my xymon-related config stopped working and I got "403 Forbidden" errors.? The various parts of the existing xymon apache config that only allow localhost were no longer allowing me to view the UI (apache mod_authz_core config), because they were now seeing the real source address.? But unfortunately, the xymon page still says "Disabled?by:?elyograg?@?127.0.0.1".? So I will look into the patch that Ren? provided.? Time to upgrade xymon anyway.
Thanks, Shawn
On 6/26/2021 11:38 AM, Shawn Heisey wrote:
But unfortunately, the xymon page still says "Disabled?by:?elyograg?@?127.0.0.1".? So I will look into the patch that Ren? provided.? Time to upgrade xymon anyway.
I applied the patch to 4.3.30, compiled, and installed.? Only it turns out that with 4.3.28, I had built debian packages, so I wasn't actually running 4.3.30 -- still running 4.3.28.
So I built the packages from the patched source and installed them ... now the right IP address shows up on disabled tests.
But something else REALLY broke.? The icons on the web UI are gone, replaced with text.? How do I fix this?:
https://www.elyograg.org/xymon-icons-broke.png
Thanks, Shawn
On 6/28/2021 1:23 PM, Shawn Heisey wrote:
But something else REALLY broke.? The icons on the web UI are gone, replaced with text.? How do I fix this?:
Applied a bandaid.? In /var/lib/xymon/www/gifs, made a symlink:
sudo ln -s . static
That fixed the icons.? But it's a bandaid.? Need to figure out where it's getting the URL path that includes "/static/" and fix that.
On 6/28/2021 1:28 PM, Shawn Heisey wrote:
Applied a bandaid.? In /var/lib/xymon/www/gifs, made a symlink:
sudo ln -s . static
That fixed the icons.? But it's a bandaid.? Need to figure out where it's getting the URL path that includes "/static/" and fix that.
I'm on a roll with "reply to self" today.
Found it.? xymonserver.cfg.
participants (4)
-
elyograg@elyograg.org
-
hobbit@elyograg.org
-
jeremy@laidman.org
-
rene@vermare.net