Real IP recognition over proxy

sponnusa / shellinabox

Automatically exported from code.google.com/p/shellinabox

Other

0 stars 0 forks source link

Real IP recognition over proxy #54

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago

I use shellinabox (and find it really great) through nginx, and noticed that in 
logs the remote host 
appears as 127.0.0.1, because the connection is proxied (the values are the 
real ones when i access 
it directly)

It woud be nice to have "X-Forwarded-For" or "X-Real-IP" headers read by 
shellinabox, so the 
remote host address would get the actual values.

Also, when using SSH service for authentication the remote address is also 
localhost, but I suppose 
that's an unsolvable issue. I hope I'm wrong, though.

Original issue reported on code.google.com by marpi...@gmail.com on 27 Feb 2010 at 11:05

GoogleCodeExporter commented 8 years ago

I second that motion, currently you can't apply the same security rules to 
shellinabox 
that applies to the SSH daemon.

Original comment by ahve...@gmail.com on 25 Mar 2010 at 10:20

GoogleCodeExporter commented 8 years ago

This is big problem for me. I would like to see real addresses for SSH sessions.

Original comment by stanisla...@gmail.com on 8 Dec 2011 at 11:59

GoogleCodeExporter commented 8 years ago

Sounds like a reasonable request.  Patches welcome.

Original comment by beewoo...@gmail.com on 31 Mar 2012 at 7:52

Changed state: Accepted

GoogleCodeExporter commented 8 years ago

This one has been sitting for quite sometime now...  Has anybody submitted a 
patch, or has been it added to a current version of Shell-in-a-box?

Original comment by kveron...@gmail.com on 2 Feb 2014 at 2:44

GoogleCodeExporter commented 8 years ago

Any hints on where it reads the IP address in the code, been searching all 
morning for the header data and can't seem to find a spot that reads 
remote-addr at all.

Original comment by ELyn...@gmail.com on 19 Oct 2014 at 2:51

GoogleCodeExporter commented 8 years ago

5 years now... 13 visitors have 'starred' this as a request, and probably 
countless others (especially those running fail2ban that can't properly 
identify the connecting server ip...).

I second (or third, or 6th...) the motion.

I really like SIAB, but this would be more secure with the ability to resolve 
that connecting IP through a proxy.

Thanks for listening.

Original comment by david.c....@gmail.com on 26 Apr 2015 at 12:27

GoogleCodeExporter commented 8 years ago

Unfortanely this project is not actively maintained and Google Code will 
shutdown soon. Because of this we created a fork on Github: 
https://github.com/shellinabox/shellinabox

I will try to solve this issue on our fork in the near future.

As stated in first comment it would be possible to get real IP from "X-Real-IP" 
or "X-Forwarded-For" HTTP header data. Than we could use this IP with -h 
parameter for LOGIN service. But for SSH service, I think that it is imposible 
to do that.

For general solution I was thinking that logging to file could be implemented. 
Maybe user could activate this feature with command line option for log file 
path. It should be also possible to rotate the file etc...

Any thoughts? We can continue our discussion here: 
https://github.com/shellinabox/shellinabox/issues/54

Original comment by luka.kra...@gmail.com on 29 Apr 2015 at 8:42