CMS Made Simple Forums
https://forum.cmsmadesimple.org/

[SOLVED] CMSMS behind proxy, client Ip and https
https://forum.cmsmadesimple.org/viewtopic.php?f=2&t=79820
Page 1 of 1

Author:  atz6975 [ Tue Jan 15, 2019 1:08 am ]
Post subject:  [SOLVED] CMSMS behind proxy, client Ip and https

Hi,
just setup cmsms (2.2.8 ) behind haproxy.
Is there a way in config to specify a server variable ($_SERVER["HTTP_X_FORWARDED_FOR"]) or some custom function to retrieve the source client ip address?
The first usage would be to put the site in maintenance and second would be to get the right ip in forms.
In the same vain would be to detect https from header (X-Forward-Proto https) to work in https mode.
Recently I found hosting many cms sites behind proxy very convenient in order to manage let's encrypt ssl and various other aspects.
I could maybe try to modify the code in a dirty way, but probably it's worth discussing this a bit. I have not found any mention of this before or in modules.
Thanks for your ideas.

Author:  calguy1000 [ Tue Jan 15, 2019 1:16 am ]
Post subject:  Re: CMSMS behind proxy, client Ip and https

PHP $_SERVER variables are typically set as headers by the HTTP server or proxy engine. CMSMS reads them, there's no reason to need to set them in HTTPS.

I have never used haproxy, but a quick google for setting headers for haproxy found this:

https://serverfault.com/questions/722151/haproxy-how-to-append-client-ip-in-x-client-ip-and-x-forwarded-for-headers

Author:  atz6975 [ Tue Jan 15, 2019 1:45 am ]
Post subject:  Re: CMSMS behind proxy, client Ip and https

Hi, thx for taking the time.
I might have chosen bad word...specify.
I was wondering how would CMSMS "know" where to look for the IP address because right now it doesn't look for it.
So "specifying" the $_SERVER (or as you rightfully mention, the header) variable name to look for was meant to "tell" CMSMS to look into those variables to get the end IP or the end protocol (https in that case and force the site to https if wanted...).
Most common HAproxy config sets these two headers :
- X-Forwarded-Proto to inform about the requested protocol (http or https)
- HTTP_X_FORWARDED_FOR to inform about the source ip list (chaining proxys...https://en.wikipedia.org/wiki/X-Forwarded-For)

These is not a real standard but tends to be majority with HAproxy (AWS, OVH....ip loadbalancers).

Here is some exemple that is more thorough probably : https://www.chriswiegman.com/2014/05/ge ... dress-php/

Thanks.

Author:  atz6975 [ Tue Jan 15, 2019 2:04 am ]
Post subject:  [SOLVED] CMSMS behind proxy, client Ip and https

Own reply here.....You actually "attempt to retrieve the IP address...and attempt[s] to compensate for proxy servers" in get_real_ip() function.

Now I have to find why it doesn't work.

My guess is because you expect the ["REMOTE_ADDR"], to be empty, when it is not (it is the proxy's address).

Does it make sense or does this help?
Let me know if I need to try something or write more here?

I think this is solved in my case.

Thanks.

Author:  calguy1000 [ Tue Jan 15, 2019 3:05 pm ]
Post subject:  Re: [SOLVED] CMSMS behind proxy, client Ip and https

We really only use the IP address for logging admin actions.
In our experience (not like we actively go out and test every version and configuration of multiple proxy engines)... only one of the HTTP headers was set containing a client IP address... so we only really had to find the non-empty one.

I suggest if you want to use this feature you remove the REMOTE_ADDR header in your proxy server setup.

For HTTPS we check $_SERVER['HTTPS'] to ensure that it is not empty and does not explicitly have the value 'off'.

Author:  atz6975 [ Wed Jan 16, 2019 3:34 pm ]
Post subject:  Re: [SOLVED] CMSMS behind proxy, client Ip and https

Sorry was sick.
The IP is used in forms and maintenance management in my knowledge of CMSMS.
While the proxy allows me to set maintenance mode on IP also and can mitigate the issue, Form Builder gets fooled by the current client IP management and wrongfully reports the proxy IP.
Same would go for IP base location services (if provided by standard CMSMS)

Probably by not assuming that Remote Address is empty we could make CMSMS work even more seamlessly on more proxys?

I'm ok to patch my CMSMS local code, so this is by no mean something strategic or world bettering.

I could suggest some code in bug report if the team finds this worth their time?

Author:  atz6975 [ Thu Mar 07, 2019 9:11 pm ]
Post subject:  Re: [SOLVED] CMSMS behind proxy, client Ip and https

Hi dev Team,
please let me revive this topic as I checked last release code (2.2.10 mentioned some minor get_real_ip love...).
You still check for empty REMOTE_ADDR....too bad as this requires further configuration in proxies to empty it. I doubt it is an accountable practice.
I'm not sure why it would break you code to test for the presence of X_FORWARDED_FOR (because it is accountable as per all major proxies doc). But I don't have your experience and I'm grateful for CMSMS as it is.

However, this is moot in the case of maintenance because the is_sitedown() function didn't get all your love and still has hard coded reference to REMOTE_ADDR and fails to respect the exclude list values.

Hope this helps in making the behaviour consistent and maybe influence your code base in a constructive way.


Anyway, thank you for your attention.

Author:  atz6975 [ Thu Mar 21, 2019 9:46 pm ]
Post subject:  Re: CMSMS behind proxy, client Ip and https

For completion,
the CMS APP test for https_request also needs to test HTTP_X_FORWARDED_PROTO for 'https' presence.
One could set $SERVER['HTTPS'] to "on" in index too. But not very elegant (same for REMOTE_ADDR).

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/