x-forwarded-for support for logging true user IP

[XANi]

As far as I loooked there is no option to enable using IP in x-forwarded-for header for access logs

We use harbor behind a loadbalancer and only loadbalancer IP gets logged. Security-wise it should probably only accept that header from whitelisted proxy IPs/networks.

[MinerYang]

Could you try to add env TRUE_CLIENT_IP_HEADER in the harbor core configmap if it's installed via harbor-helm

[XANi]

I assume by "core configmap" you mean harbor.yml and by adding env you mean adding

env:
  normal:
    TRUE_CLIENT_IP_HEADER: x-forwarded-for

to the end of the file ? (I'm not very familar with harbor)

If so, no, doesn't work, I added it then re-ran install.sh but it still logs the proxy IP

[MinerYang]

If you deploy by docker compose, would you try bellowing steps?

1. stop harbor instance

   docker compose down -v 

2. edit the common/config/core/env file by adding TRUE_CLIENT_IP_HEADER

   TRUE_CLIENT_IP_HEADER=xxx

3. restart harbor

   docker compose up -d 

[XANi]

Did not work

[09:50:51]d1-harbor:/opt/harbor-install/installer☠ cat common/config/core/env |grep x-forw
TRUE_CLIENT_IP_HEADER=x-forwarded-for

(i've also verified that traffic on the port does have that header in lowercase)

[MinerYang]

Ooops,it is not been logged the audit logs. we will follow this requirement the future. Please monitor this PR https://github.com/goharbor/harbor/pull/19725

[XANi]

@MinerYang I dunno if here is proper place to say it but it really should have second parameter with list of allowed IPs/nets aside from "what header to use". Else anything (not just the LB that can ensure that header is not faked) could send a request with XFF and bogus IP in it.