search

cyberark / conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
https://conjur.org
Other
780 stars 124 forks source link

OSS with Ngnix - Direct access (XFF is empty) is not working #1672

Closed eladkug closed 3 years ago

eladkug commented 4 years ago

Summary

While we are working with Oss and Ngnix direct access will not works. We are identified the Nginx container IP instead of the Client IP

Steps to Reproduce

Steps to reproduce the behavior:

  1. Set OSS environmnet from quick start documentation
  2. Identified the Nginx proxy ip address: 
    
docker inspect nginx_proxy | grep IPAddress

                    "IPAddress": "192.168.32.2"


3. Send authenticate request any machine 
4. See conjur logs with Nginx IP as origin instead of yours IP machine:
` INFO 2020/07/06 08:44:29 +0000 [pid=36] [origin=192.168.32.2] [request_id=d3bb5797-a7e6-4fbd-971c-feab20909abb] [tid=44] Started POST "/authn/cucumber/admin/authenticate" for 192.168.32.2 at 2020-07-06 08:44:29 +0000
`

## Expected Results
identified the Client IP

## Actual Results (including error logs, if applicable)
identified the Nginx container IP

## Reproducible
   * [x] Always 
   * [ ] Sometimes
   * [ ] Non-Reproducible

## Version/Tag number
1.7.4

## Environment setup
deployment form our quick start documentation for customers

## Additional Information
This is what we saw in logs:
`Nginx ip:
192.168.32.2

Client ip:
109.64.79.175

Sending empty XFF and got:
 INFO 2020/07/06 08:44:29 +0000 [pid=36] [origin=192.168.32.2] [request_id=d3bb5797-a7e6-4fbd-971c-feab20909abb] [tid=44] Started POST "/authn/cucumber/admin/authenticate" for 192.168.32.2 at 2020-07-06 08:44:29 +0000

Debug logs:
remote ip: 192.168.32.2
ip: 192.168.32.2
XFF:
remote_addr: 192.168.32.2
remote_addr H: 192.168.32.2`
eladkug commented 4 years ago

@jvanderhoof Are you going to fix this issue?

eladkug commented 4 years ago

@jvanderhoof ?

izgeri commented 4 years ago

Is this perhaps related to the concept of trusted proxies? Wondering if @cyberark/conjur-core-team has any feedback they can share about the recommended way to use Conjur OSS to accurately reflect the client IP in the logs.

jvanderhoof commented 4 years ago

@eladkug, I don't think there is a release of Conjur with the trusted proxy functionality in place, but if you build one, the TRUSTED_PROXIES environment variable should allow you to remove Nginx: https://github.com/cyberark/conjur/blob/master/CHANGELOG.md#added

izgeri commented 4 years ago

@jvanderhoof now that we've tagged v1.10.0, is that a valid version to use with the trusted proxies functionality?

this seems like a reasonable blog post - anyone have interest in writing it? :) could demonstrate using trusted proxies with the quick start vs helm chart

eladkug commented 4 years ago

@jvanderhoof but i will still see Nginx IP as origin instead of our IP machine?

sjacobs146 commented 3 years ago

The fix and tests were added here: https://github.com/cyberark/conjur/pull/1726/files. The GH issue was not the driving force for this PR. The work with Epic was the driver. As a result, this bug was not closed. Closing now.