Not Handling X-Forwarded-For from LBs

beauhoyt commented 4 years ago

Problem: Getting CloudFlare LB IPs for the login IP instead of the actual IP. Seem to not be parsing X-Forwarded-For properly. I've tried doing it the way symfony doc stated (https://symfony.com/doc/current/deployment/proxies.html) to with TRUSTED_PROXIES by adding this to .env:
```
TRUSTED_PROXIES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
```
Expected: Expected original IP not LB IP
Logs / Screenshots / Proof: List of cloudflare LB CIDRs: https://www.cloudflare.com/ips-v4
Version Info:

beauhoyt commented 4 years ago

So it seems to be doing something when i added this to the .env

TRUSTED_PROXIES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22

because my login IP changed from 108.162.245.50 to 162.158.107.163 which is just another intermediate LB in the chain. My guess is this is how its works:

Edge POP            Internal LB      Then it should be my IP
162.158.107.163 -> 108.162.245.50 -> x.x.x.x

The X-Forwarded-For Header should be looking something like this:

X-Forwarded-For: x.x.x.x,108.162.245.50,162.158.107.163

Based on this documentation: https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-Cloudflare-handle-HTTP-Request-headers-

warlof commented 3 years ago

Hi,

seems the easiest way for you is to add a dependency which has been built to handle cloudflare proxying headers : https://github.com/monicahq/laravel-cloudflare

it will maintain cloudflare published IP addresses used for proxying in a cache (that you can reload automatically, using your scheduler).

Since you are on docker, you can add monicahq/laravel-cloudflare to your plugins in .env file. However, you'll have to alter the Kernel.php file on all your containers manually (and after each update).

That file will be located at /var/www/seat/app/Http/Kernel.php

beauhoyt commented 3 years ago

Hmm - now im getting 172.16.0.0/12 address from docker's internal network

Is there another set of values i need to set for the middleware?

Do i just need to add 172.16.0.0/12 to TRUSTED_PROXIES?

beauhoyt commented 3 years ago

So i went in and modified the LogFormat to get the X-Forwarded-For and CF-Connecting-IP headers

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h \"%{X-Forwarded-For}i\" \"%{CF-Connecting-IP}i\" %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h \"%{X-Forwarded-For}i\" \"%{CF-Connecting-IP}i\" %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

And noticed the big problem of the X-Forwarded-For is that it's getting overwritten instead of appended to:

172.18.0.2 "172.68.86.114" "103.x.x.x" - - [16/Nov/2020:21:29:44 +0000] "GET /queue/short-status HTTP/1.1" 200 1114 "https://seat.42indy.com/configuration/schedule" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Edg/86.0.622.63"
172.18.0.2 "108.162.245.156" "104.x.x.x" - - [16/Nov/2020:21:29:48 +0000] "GET /queue/short-status HTTP/1.1" 401 1103 "https://seat.42indy.com/characters/2117476562/sheet" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36"
172.18.0.2 "172.68.86.114" "103.x.x.x" - - [16/Nov/2020:21:29:55 +0000] "GET /queue/short-status HTTP/1.1" 200 1118 "https://seat.42indy.com/configuration/schedule" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.183 Safari/537.36 Edg/86.0.622.63"

So now I'm going to try and modify config/trustedproxy.php with (comes from here https://github.com/fideloper/TrustedProxy/wiki):

<?php

return [
   ...

    // These are defaults already set in the config:
    'headers' => [
        (defined('Illuminate\Http\Request::HEADER_FORWARDED') ? Illuminate\Http\Request::HEADER_FORWARDED : 'forwarded') => 'FORWARDED',
        \Illuminate\Http\Request::HEADER_CLIENT_IP    => 'X_FORWARDED_FOR',
        \Illuminate\Http\Request::HEADER_CLIENT_HOST  => 'X_FORWARDED_HOST',
        \Illuminate\Http\Request::HEADER_CLIENT_PROTO => 'X_FORWARDED_PROTO',
        \Illuminate\Http\Request::HEADER_CLIENT_PORT  => 'X_FORWARDED_PORT',
    ]
];

Though when i do this i get this fatal error (and still looking into it):

Fatal error: Uncaught RuntimeException: A facade root has not been set. in /var/www/seat/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php:258
Stack trace:
#0 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(425): Illuminate\Support\Facades\Facade::__callStatic('replaceNamespac...', Array)
#1 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(402): Illuminate\Foundation\Exceptions\Handler->registerErrorViewPaths()
#2 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(313): Illuminate\Foundation\Exceptions\Handler->renderHttpException(Object(Symfony\Component\HttpKernel\Exception\HttpException))
#3 /var/www/seat/vendor/laravel/framework/src/Illuminate/Foundation/Exceptions/Handler.php(210): Illuminate\Foundation\Exceptions\Handler->prepareResponse(Object(Illuminate\Http\Request), Object(Symfony\Component\HttpKernel\Exception\HttpException))
#4 /var/www/seat/app/Exceptions/Handler.php(55): Illumi in /var/www/seat/vendor/laravel/framework/src/Illuminate/Support/Facades/Facade.php on line 258

My goal is to replace the above associative array with this change:

 \Illuminate\Http\Request::HEADER_CLIENT_IP    => 'CF-Connecting-IP',

So i can get the correct IP.

AstralDestiny commented 3 years ago

So for me I'm having Traefik Rewrite X-Real-IP (Originally would show 172.23.0.1 for connections), with X-Forward-IP or CF-Connecting-IP as long as it doesn't match X will replace, which shows the real ip of the connecting user from the cloudflare LB's, All other programs I have behind Traefik are fine but has issues when it comes to seat. It still shows 172.23.0.1 every other service however work fine and show the external connecting ip from CF LB's. I can probably write the instructions if anyone was curious but every other container works totally fine but as soon as I try it with seat, seat refuses and just shows all logins as 172.23.0.1

warlof commented 3 years ago

which application are you using ?

SeAT is not doing anything with reverse except standard Laravel stuff :/

beauhoyt commented 3 years ago

@AstralDestiny I personal think it's Traefik messing with the X-Forward-IP header completely overwriting the comma delimiter IPs instead of appending to the list. Hence why I was trying to force Laravel (aka., Symfony) to use CF-Connecting-IP header but with no luck. :(

eveseat / seat

Not Handling X-Forwarded-For from LBs #709