Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that if present the HTTP_X_FORWARDED_FOR IP address is used in… #14833

Merged
merged 1 commit into from
Jul 24, 2019
Merged

Ensure that if present the HTTP_X_FORWARDED_FOR IP address is used in… #14833

merged 1 commit into from
Jul 24, 2019

Conversation

seamuslee001
Copy link
Contributor

…stead of the SERVER_ADDR when logging items from the IDS

Overview

This ensures that if present we use the HTTP_X_FORWARDED_FOR address as that is generally more accurate if behind a load balancer than SERVER_ADDR

Before

the SERVER_ADDR is always used even if behind a load balancer

After

The SERVER_ADDR is used only if we can't use HTTP_X_FORWARDED_FOR

https://www.chriswiegman.com/2014/05/getting-correct-ip-address-php

@civibot
Copy link

civibot bot commented Jul 16, 2019

(Standard links)

@civibot civibot bot added the master label Jul 16, 2019
@totten
Copy link
Member

totten commented Jul 16, 2019

(1) Isn't there a bit of a snag with X-Forwarded-For?

  • If the httpd is behind a firewall, then do use X-Forwarded-For.
  • If the httpd is not behind a firewall, then do not use X-Forwarded-For (even if it's given - because it can be given fraudulently).

For example, in Drupal, settings.php exposes a bunch of reverse_proxy settings -- I think that's because you can't determine the "true" IP without knowing more context about the deployment environment.

(2) OTOH... For purposes of CRM_Core_IDS::log()... maybe we don't need the "true" IP? Logs provide data for future forensics, and IDS::log() is specifically for suspicious requests. If the request is suspicious, then recording both SERVER_ADDR and HTTP_X_FORWARDED_FOR might be better support for those future forensics?

@seamuslee001
Copy link
Contributor Author

@totten maybe looking at the IDS it uses REMOTE_ADDR instead of SERVER_ADDR (which actually seems to make more sense) and also appends the HTTP_X_FORWARD_FOR if present https://github.com/civicrm/civicrm-packages/blob/master/IDS/Log/Email.php#L167

@totten
Copy link
Member

totten commented Jul 17, 2019

@seamuslee001 oh, yeah, that is a nice pattern. Seems sensible for CRM_Core_IDS::log() to use the same IP pattern as IDS_Log_Email.

@seamuslee001
Ensure that if present the HTTP_X_FORWARDED_FOR IP address is used in…
e7ecda7 
…stead of the SERVER_ADDR when logging items from the IDS

Update Core IP address to match IDS Pattern
@seamuslee001 seamuslee001 force-pushed the ids_ip_logging_improvements branch from 3d98987 to e7ecda7 Compare July 20, 2019 22:52
@seamuslee001
Copy link
Contributor Author

@totten have updated now

@totten totten merged commit f4e89ad into civicrm:master Jul 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
master
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@seamuslee001 @totten