Closed MiroRadenovic closed 9 years ago
Hello I'm back! I have been looking at your code an I have found this at https://github.com/gadicohen/meteor-headers/blob/master/headers-server.js#L88
headers.getClientIP = function(self, proxyCount) {
checkSelf(self, 'getClientIP');
var chain = this.get(self, 'x-ip-chain').split(',');
if (typeof(proxyCount) == 'undefined')
proxyCount = this.proxyCount;
return chain[chain.length - proxyCount - 1];
}
basically the problem here is that i got my x-ip-chain starting always with 127.0.0.1. I have no idea on why 127.0.0.1 is always included, but why you did not use the header x-forwarded-for which actually is used for this scope?
taken from wikipedia (http://en.wikipedia.org/wiki/X-Forwarded-For) it says:
The general format of the field is:
X-Forwarded-For: client, proxy1, proxy2
Thank you!
Hey. Meteor uses an internal proxy module, I don't recall the specifics unfortunately. Is this behaviour the same when your app is deployed as opposed to running it in development mode? I'd expect it to be the same, but I ask since in our deployment at Meteor.com, we don't see this behaviour: http://headers.meteor.com/
The reason we can't just use the first value in the list is because we can't trust it. If the user connects and sends his own X-Forward-For
value, he could make the first address on the list whatever he wants. That's why we can only trust the value inserted by the last proxy we control/trust (which won't necessarily be the first on the list... it will be the last on the list before any proxies we trust, and our proxy can vouch that that is the IP that originated the connection).
Hello and thank you for the reply. Related to the X-Forward-For i agree with you.
I'm still new in meteor and I don't know if something changed lately, but I see that everywhere I deploy the application, under x-ip-chan the 127.0.0.1 address is always there.
I have tried to run the my code :
on modulus my client headers are
{ host: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'cache-control': 'max-age=0',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'user-agent': 'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Safari/537.36',
'accept-encoding': 'gzip,deflate,sdch',
'accept-language': 'it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4',
cookie: 'meteor_login_token=yvXKWWNAd7wWxPXm9',
'x-forwarded-for': '93.33.104.233,127.0.0.1',
connection: 'close',
'x-forwarded-port': '25256',
'x-forwarded-proto': 'http',
'x-ip-chain': '93.33.104.233,127.0.0.1,107.21.216.112' }
and to make thing more clear:
I will send you a pull request, with my fix, so we can investigate it a little better :+1:
Hey, I'm going to look into this issue more deeply to see if something changed in recent Meteor versions with respect to the internal proxy. However, you should be aware that x-ip-chain is generated by meteor-headers (it's not an actual header from the client or proxy), and is made up of x-forwarded-for
and IP of the source of the connection to Meteor (a proxy, if one exists, or the client, if one doesn't. although now it seems one always does, and this might be a recent change).
To that end, taking the first value in x-ip-chain is exactly the same as taking the first value of x-forwarded-for. Your PR unfortunately creates a very dangerous situation where the client can pretend to be from any IP they like. You should just use a proxyCount of 1 for now, which is completely safe, and a lot easier than rewriting the code?
As I said, I will see if anything changed recently in Meteor that making this method behave incorrectly.
There were some changes in Meteor 0.7.1, and I've made some related and unrelated changes to meteor-headers in commit https://github.com/gadicohen/meteor-headers/commit/a655ef825cc14238f3811f666fff46740bdeb7b1 (setProxyCount()
is deprecated now in favour of HTTP_FORWARDED_COUNT environment varialbe).
Can you see how this affects the issues you described?
ok, It took me while but i have test it. to me this now works fine with your update! browsing my meteor application on my local ip through http://172.16.223.181:3000 with
headers.methodClientIP(self);
it returns correctly 172.16.223.181
and through http://localhost:3000 it returns 127.0.0.1 to me this solves the issue and you could close it.
and last, but not less important: THANK YOU, THANK YOU and THANK YOU ;)
Pleasure, glad you're up and working (belatedly) :)
Hello, I'm developing on my machine (ip: 172.16.223.175) a meteor application and I have added meteor-headers using mrt add headers
I have the following Meteor method:
if I invoke the meteor Method from localhost:3000 my outputs is
.which is reasonable... but if I access the application locally from http://172.16.223.175:3000, I receive
as you can see the headers.methodClientIP(this) returns 127.0.0.1
At the end, if I access the application from a different machine 172.16.223.135 i still receive the 127.0.0.1 using headers.methodClientIP(this):
The only way to get the correct ip, when accessing the application from the outside, even if don't use any proxy/load balancer is to use
which actually return a correct value:
additional info: meteor version: 0.7.1.2 meteor-headers version: 0.0.15
thank you