Use X-Forwarded-For header for client IP?
list Shawn Heisey
I have all my websites behind a reverse proxy.? For those who might be interested, it's haproxy.? I'm using it because it handles all the TLS and can be easily configured to handle DDOS attacks. Is it difficult to get xymon to use the X-Forwarded-For header?? Did some googline and came up empty.? I have some disabled tests, and this is what it says: Disabled?by:?elyograg?@?127.0.0.1 I would like to see the real IP address there.? I've got Xymon 4.3.28 installed from source. Thanks, Shawn
list Jeremy Laidman
Hi Shawn Xymon's enadis CGI gets the IP address from the webserver's REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server you're using, there may be zero or more ways to make this work. For instance, there are Apache modules that can do this: mod_rpaf (reverse proxy add forward), mod_extract_forwarded and mod_remoteip <https://httpd.apache.org/docs/current/mod/mod_remoteip.html>;(the latter seemingly the most common method, but also seems to be the most feature-full = complicated). Also, it's possible to use SetEnvIf to capture the IP address from the header and assign it to REMOTE_ADDR (although note that there can be multiple IP addresses in an X-Forwarded-For value if there are multiple proxies in a chain so you'd want to extract the first (left-most) IP to get the client IP). Be warned that it's trivial for an attacker to create an X-Forwarded-For header, so your reverse proxies should strip this header if it exists, before adding their own. There may be other implications. Cheers Jeremy
▸
On Wed, 23 Jun 2021 at 13:27, Shawn Heisey <user-5d0d01dba542@xymon.invalid> wrote:
I have all my websites behind a reverse proxy. For those who might be interested, it's haproxy. I'm using it because it handles all the TLS and can be easily configured to handle DDOS attacks. Is it difficult to get xymon to use the X-Forwarded-For header? Did some googline and came up empty. I have some disabled tests, and this is what it says:
Disabled by: elyograg @ 127.0.0.1
▸
I would like to see the real IP address there. I've got Xymon 4.3.28
installed from source.
Thanks,
Shawn
list René Vermare
Hi, You can also use this patch. Cheers, Ren? Op donderdag 24-06-2021 om 18:41 uur [tijdzone +1000], schreef Jeremy Laidman:
▸
Hi Shawn Xymon's enadis CGI gets the IP address from the webserver's REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server you're using, there may be zero or more ways to make this work. For instance, there are Apache modules that can do this: mod_rpaf (reverse proxy add forward), mod_extract_forwarded and mod_remoteip
(the latter seemingly the most common method, but also seems to be the
▸
most feature-full = complicated). Also, it's possible to use SetEnvIf
to capture the IP address from the header and assign it to REMOTE_ADDR
(although note that there can be multiple IP addresses in an
X-Forwarded-For value if there are multiple proxies in a chain so
you'd want to extract the first (left-most) IP to get the client IP).
Be warned that it's trivial for an attacker to create an
X-Forwarded-For header, so your reverse proxies should strip this
header if it exists, before adding their own. There may be other
implications.
Cheers
Jeremy
On Wed, 23 Jun 2021 at 13:27, Shawn Heisey <user-5d0d01dba542@xymon.invalid>
wrote:
I have all my websites behind a reverse proxy. For those who
might be interested, it's haproxy. I'm using it because it handles all
the TLS and can be easily configured to handle DDOS attacks.
Is it difficult to get xymon to use the X-Forwarded-For
header? Did some googline and came up empty. I have some disabled tests,
and this is what it says:
Disabled by: elyograg @ 127.0.0.1
I would like to see the real IP address there. I've got Xymon
4.3.28 installed from source.
Thanks,
Shawn
This message has been scanned for viruses with ClamAV at vermare.net
list Shawn Heisey
On 6/24/2021 2:41 AM, Jeremy Laidman wrote:
Xymon's enadis CGI?gets the IP address from the webserver's REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server you're using, there may be zero or more ways to make this work.
▸
For instance, there are Apache modules that can do this: mod_rpaf (reverse proxy add forward), mod_extract_forwarded and mod_remoteip <https://httpd.apache.org/docs/current/mod/mod_remoteip.html>;(the latter seemingly the most common method, but also seems to be the most feature-full = complicated). Also, it's possible to use SetEnvIf to capture the IP address from the header and assign it to REMOTE_ADDR (although note that there can be multiple IP addresses in an X-Forwarded-For value if there are multiple proxies in a chain so you'd want to extract the first (left-most) IP to get the client IP). Be warned that it's trivial for an attacker to create an X-Forwarded-For header, so your reverse proxies should strip this header if it exists, before adding their own. There may be other implications.
I adjusted the haproxy config to remove that header before it adds it with the source IP, which will hopefully stop people from doing that.
I installed the rpaf module into apache.? This is very interesting ... once I did that, suddenly my xymon-related config stopped working and I got "403 Forbidden" errors.? The various parts of the existing xymon apache config that only allow localhost were no longer allowing me to view the UI (apache mod_authz_core config), because they were now seeing the real source address.? But unfortunately, the xymon page still says "Disabled?by:?elyograg?@?127.0.0.1".? So I will look into the patch that Ren? provided.? Time to upgrade xymon anyway.
Thanks,
Shawn
list Shawn Heisey
▸
On 6/26/2021 11:38 AM, Shawn Heisey wrote:
But unfortunately, the xymon page still says "Disabled?by:?elyograg?@?127.0.0.1".? So I will look into the patch that Ren? provided.? Time to upgrade xymon anyway.
I applied the patch to 4.3.30, compiled, and installed.? Only it turns out that with 4.3.28, I had built debian packages, so I wasn't actually running 4.3.30 -- still running 4.3.28. So I built the packages from the patched source and installed them ... now the right IP address shows up on disabled tests. But something else REALLY broke.? The icons on the web UI are gone, replaced with text.? How do I fix this?: https://www.elyograg.org/xymon-icons-broke.png Thanks, Shawn
list Shawn Heisey
▸
On 6/28/2021 1:23 PM, Shawn Heisey wrote:
But something else REALLY broke.? The icons on the web UI are gone, replaced with text.? How do I fix this?: https://www.elyograg.org/xymon-icons-broke.png
Applied a bandaid.? In /var/lib/xymon/www/gifs, made a symlink:
sudo ln -s . static
That fixed the icons.? But it's a bandaid.? Need to figure out where
it's getting the URL path that includes "/static/" and fix that.
list Shawn Heisey
▸
On 6/28/2021 1:28 PM, Shawn Heisey wrote:
Applied a bandaid.? In /var/lib/xymon/www/gifs, made a symlink: sudo ln -s . static That fixed the icons.? But it's a bandaid.? Need to figure out where it's getting the URL path that includes "/static/" and fix that.
I'm on a roll with "reply to self" today.
Found it.? xymonserver.cfg.