glpi-project / glpi-agent

GLPI Agent
GNU General Public License v2.0
246 stars 61 forks source link

httpd-trust behind proxy server not reading x_forwarded_for header #796

Closed 40417256 closed 1 week ago

40417256 commented 1 week ago

Bug reporting acknowledgment

Yes, I read it

Professional support

None

Describe the bug

An agent behind a proxy server will not read x_forwarded_for header. Therefore a client whitelisted is not.

To reproduce

1) glpi agent latest with httpd-trust = 127.0.0.1,10.10.20.55 (this is the client pc) 2) wireshark capture -> https://glpi-agent.test.net/ refresh page 3) in capture there is x-forwarded-for: 10.10.20.55 source ip is the proxy ip (10.10.20.1) of course 4) on the agent web page, there is no Force an inventory link 5) modify httpd-trust = 127.0.0.1,10.10.20.1 (ip of the proxy) 6) refresh page, Force an inventory link is present however any client can now force an inventory

Expected behavior

The expected behaviour is for the web server to read x_forwarded_for header from the http request when present and honour httpd-trust with the x_forwarded_for ip address rather than the source address.

Operating system

Linux

GLPI Agent version

v1.11

GLPI version

10.0.16

GLPIInventory plugin or other plugin version

Not applicable

Additional context

No response

g-bougard commented 1 week ago

Hi @40417256

to be honest, your "To reproduce" list is not clear enough: you must enhance description of each step. Here you have at least 3 peers: a client, a proxy and a glpi server and you're not clear enough at least on that point.

40417256 commented 1 week ago

There is no glpi server involved only an agent Client1 (ip 1)-----------| Proxy server (ip 3)|--------------------- glpi agent (ip 4) httpd-trust = 127.0.0.1, ip 1 (ip of client1) Client2 (ip 2)-----------|

There is no refresh link because the glpi agent uses the source packet which is always the proxy ip (ip 3)

Change to httpd-trust = 127.0.0.1, ip 3 (the ip of the proxy server) then the link appears for all clients (not the desired outcome).

The code must match httpd-trust = some ip, with the one from the the header x_forwarded_for (that contains the real ip of the client) and not the source ip

g-bougard commented 1 week ago

Sorry, still not clear enough. I even don't understand what you're trying to do: forget one second the header problem you're speaking about and explain what you want to be able to do.

Also you're telling there's no glpi server but you spoke about a web server in the issue description. Was you speaking about glpi-agent httpd interface ?

40417256 commented 1 week ago

Hello sir,

I believe, that I am on the github of the glpi-agent ? And I do not know about any other agent part of the software suite ?

g-bougard commented 1 week ago

Okay, I won't loose more time with this issue and irony is definitively not a good answer when maintainer requests you to clarify your purpose.

I'll be on vacation for a week. I leave you this time to open another issue with understandable information.