search

RainLoop / rainloop-webmail

Simple, modern & fast web-based email client
http://rainloop.net
MIT License
4.12k stars 896 forks source link

show X-Forwarded-For ip header on rainloop auth logs behind haproxy #1849

Open enriluis opened 5 years ago

enriluis commented 5 years ago

**RainLoop version1.12.1, browser Mozilla Firefox 65.0.2 , OS:Windows 10 on client side, on the server Ubuntu Linux working fine, behind haproxy

Expected behavior and actual behavior: i want to tell ha proxy showme the, now it show the haproxy ip not the X-Forwarded-For header. i want make some how to block more of 3 or 5 failled logins LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

but rainlop auths logs are show to me the haproxy ip

Steps to reproduce the problem:

Logs or screenshots: apche log showing real ip client: 200.55.xxx.xxx - - [15/Mar/2019:15:17:44 -0500] "GET /?/Ajax/&q[]=/_ouGQQPoG93XHTEm_pVHseebg_ZeUUNY73NmR7SwR7AOtPXCOA-8lJ0imL_AJN8mugLM5tlwKcrISWtii1fZkDvo7bLFmA7i1gyoMeOk5vTh-VoAj26wsE18oINZKpo0XMdmNPhbRuNBI5MEtv1Gghu37Ihu6hKHLzt1byKwrHubvjsDOsOu3gdb5K15AM6ZyLZnt7XfU_gatuSx-FY9gdB3Uk28Nhaq__s6VFcr2XNxTZ_9pwy6ZS386KQ7BgGRrB5MZzD44ZN2yON3b__PvKLkwYSYUpKsEPOIFrjIaFI_KMj8SdqIVOrQd-f5qaa2spTihV7o0xVgXGc5D/MessageList/&q[]=/SU5CT1gAMAAyMAAANDA2YTQxMzVhYjJkODBlY2FhZGIwZDU0NjE5OWE3YTQAZWJkM2MxOWQ4ODJmYTIzNjYyMDI2N2MzYzE3MmM2ZmQANTE0OTUAMAA HTTP/1.1" 200 34383 "https://webmail.domain/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0"

rainloop log showing haproxy ip: [20:18:33.651][7d2b2611] INFO[DATA]: [DATE:15.03.19][OFFSET:-00][RL:1.12.1][PHP:7.2.15-0ubuntu0.18.04.1][172.20.20.13][PID:13079][Apache/2.4.29 (Ubuntu)][apache2handler]

[20:18:33.651][7d2b2611] REQUEST[NOTE]: [POST] https://webmail.domain/?/Ajax/&q[]=/0/ [20:18:33.651][7d2b2611] AJAX[NOTE]: Action: DoLogin

[20:18:33.651][7d2b2611] LOGIN[DATA]: The email address "swd" is not complete [20:18:34.652][7d2b2611] INFO[NOTICE]: RainLoop\Exceptions\ClientException: InvalidInputArgument[903] in /var/www/mailweb/rainloop/v/1.12.1/app/libraries/RainLoop/Actions.php:2232

12nick12 commented 4 years ago

Is this in the works?

khimaros commented 3 years ago

this would make fail2ban more useful when rainloop is behind a reverse proxy, eg. nginx

khimaros commented 3 years ago

it looks like this is at least partly implemented as a "lab" feature with http_client_ip_check_proxy:

https://github.com/RainLoop/rainloop-webmail/blob/5e409ac638afb67cb9866d298783f9b4da0bf9fb/rainloop/v/0.0.0/app/libraries/RainLoop/Actions.php#L493

https://github.com/RainLoop/rainloop-webmail/blob/f5b92b8b65e6b7312ff930ad04abe71e136dc27c/rainloop/v/0.0.0/app/libraries/MailSo/Base/Http.php#L358

i will experiment with this setting in the afternoon.

khimaros commented 3 years ago

actually, i just verified that this works. you will need to set labs.http_client_ip_check_proxy = On in your rainloop application.ini and ensure that your reverse proxy is setting either of the X-Forwarded-For or Client-Ip headers correctly.