Open alnviana opened 1 week ago
Hey 👋🏻
Thank you for a detailed issue.
I can confirm when we was initially testing and publishing the collection we did expose it directly to the internet with no testing of being behind an upstream proxy.
I reach out to our contact at checkpoint to clarify a few points, as from our own interpretation of the field names I would suspect the same as you, proxyIP
to be the upstream IP address and sourceIP
to be set to the actual user IP.
However, before making changes to the parser I will wait for confirmation this is the intended behavior and if so will make the changes to blindly "trust" the proxyIP
if it is set (I say blindly because CrowdSec doesnt have the context to know if the IP is trusted as in the upstream so we have to just trust it).
Edit: or switch to httpSourceId
depending on the outcome of the clarification.
Thanks for the quick reply. :) I agree with you that it is good to plan this change well, as it could cause unwanted effects on those who are already using it. This care is the basics when it comes to security and resilience, which makes me like the project even more.
If you need any more information or help testing something, feel free to ask me.
I have the following structure: Internet -> Reverse Proxy 1 -> OpenAppSec -> App1, App2, etc
The first proxy is configured to fill and pass the X-Forwarding-For, so it's value is "Real IP, Proxy 1 IP". I configured OpenAppSec Source Identity to use this header instead of using Source IP. I did a SQL Injection test, a event was triggered:
Crowdsec reads the logs, parses the sourceIP and bans Proxy 1 IP.
Adding the Proxy 1's IP as a hop on Source Identity doesn't help, resulting in:
With OpenAppSec directly exposed (Without Proxy 1) the Real IP appears as sourceIP, so it is banned correctly.
So I'm thinking of the following possible reasons for it not working:
If anyone can help me, I'd be grateful. :)