• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Spain CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: [SOLVED] CMSMS behind proxy, client Ip and https
PostPosted: Tue Jan 15, 2019 1:08 am 
Offline
Forum Members
Forum Members

Joined: Thu Jan 14, 2010 4:43 pm
Posts: 30
Hi,
just setup cmsms (2.2.8 ) behind haproxy.
Is there a way in config to specify a server variable ($_SERVER["HTTP_X_FORWARDED_FOR"]) or some custom function to retrieve the source client ip address?
The first usage would be to put the site in maintenance and second would be to get the right ip in forms.
In the same vain would be to detect https from header (X-Forward-Proto https) to work in https mode.
Recently I found hosting many cms sites behind proxy very convenient in order to manage let's encrypt ssl and various other aspects.
I could maybe try to modify the code in a dirty way, but probably it's worth discussing this a bit. I have not found any mention of this before or in modules.
Thanks for your ideas.


Last edited by atz6975 on Tue Jan 15, 2019 2:05 am, edited 1 time in total.

Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: CMSMS behind proxy, client Ip and https
PostPosted: Tue Jan 15, 2019 1:16 am 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 8131
Location: Fernie British Columbia, Canada
PHP $_SERVER variables are typically set as headers by the HTTP server or proxy engine. CMSMS reads them, there's no reason to need to set them in HTTPS.

I have never used haproxy, but a quick google for setting headers for haproxy found this:

https://serverfault.com/questions/722151/haproxy-how-to-append-client-ip-in-x-client-ip-and-x-forwarded-for-headers

_________________
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: CMSMS behind proxy, client Ip and https
PostPosted: Tue Jan 15, 2019 1:45 am 
Offline
Forum Members
Forum Members

Joined: Thu Jan 14, 2010 4:43 pm
Posts: 30
Hi, thx for taking the time.
I might have chosen bad word...specify.
I was wondering how would CMSMS "know" where to look for the IP address because right now it doesn't look for it.
So "specifying" the $_SERVER (or as you rightfully mention, the header) variable name to look for was meant to "tell" CMSMS to look into those variables to get the end IP or the end protocol (https in that case and force the site to https if wanted...).
Most common HAproxy config sets these two headers :
- X-Forwarded-Proto to inform about the requested protocol (http or https)
- HTTP_X_FORWARDED_FOR to inform about the source ip list (chaining proxys...https://en.wikipedia.org/wiki/X-Forwarded-For)

These is not a real standard but tends to be majority with HAproxy (AWS, OVH....ip loadbalancers).

Here is some exemple that is more thorough probably : https://www.chriswiegman.com/2014/05/ge ... dress-php/

Thanks.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: [SOLVED] CMSMS behind proxy, client Ip and https
PostPosted: Tue Jan 15, 2019 2:04 am 
Offline
Forum Members
Forum Members

Joined: Thu Jan 14, 2010 4:43 pm
Posts: 30
Own reply here.....You actually "attempt to retrieve the IP address...and attempt[s] to compensate for proxy servers" in get_real_ip() function.

Now I have to find why it doesn't work.

My guess is because you expect the ["REMOTE_ADDR"], to be empty, when it is not (it is the proxy's address).

Does it make sense or does this help?
Let me know if I need to try something or write more here?

I think this is solved in my case.

Thanks.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: [SOLVED] CMSMS behind proxy, client Ip and https
PostPosted: Tue Jan 15, 2019 3:05 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 8131
Location: Fernie British Columbia, Canada
We really only use the IP address for logging admin actions.
In our experience (not like we actively go out and test every version and configuration of multiple proxy engines)... only one of the HTTP headers was set containing a client IP address... so we only really had to find the non-empty one.

I suggest if you want to use this feature you remove the REMOTE_ADDR header in your proxy server setup.

For HTTPS we check $_SERVER['HTTPS'] to ensure that it is not empty and does not explicitly have the value 'off'.

_________________
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: [SOLVED] CMSMS behind proxy, client Ip and https
PostPosted: Wed Jan 16, 2019 3:34 pm 
Offline
Forum Members
Forum Members

Joined: Thu Jan 14, 2010 4:43 pm
Posts: 30
Sorry was sick.
The IP is used in forms and maintenance management in my knowledge of CMSMS.
While the proxy allows me to set maintenance mode on IP also and can mitigate the issue, Form Builder gets fooled by the current client IP management and wrongfully reports the proxy IP.
Same would go for IP base location services (if provided by standard CMSMS)

Probably by not assuming that Remote Address is empty we could make CMSMS work even more seamlessly on more proxys?

I'm ok to patch my CMSMS local code, so this is by no mean something strategic or world bettering.

I could suggest some code in bug report if the team finds this worth their time?


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: [SOLVED] CMSMS behind proxy, client Ip and https
PostPosted: Thu Mar 07, 2019 9:11 pm 
Offline
Forum Members
Forum Members

Joined: Thu Jan 14, 2010 4:43 pm
Posts: 30
Hi dev Team,
please let me revive this topic as I checked last release code (2.2.10 mentioned some minor get_real_ip love...).
You still check for empty REMOTE_ADDR....too bad as this requires further configuration in proxies to empty it. I doubt it is an accountable practice.
I'm not sure why it would break you code to test for the presence of X_FORWARDED_FOR (because it is accountable as per all major proxies doc). But I don't have your experience and I'm grateful for CMSMS as it is.

However, this is moot in the case of maintenance because the is_sitedown() function didn't get all your love and still has hard coded reference to REMOTE_ADDR and fails to respect the exclude list values.

Hope this helps in making the behaviour consistent and maybe influence your code base in a constructive way.


Anyway, thank you for your attention.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: CMSMS behind proxy, client Ip and https
PostPosted: Thu Mar 21, 2019 9:46 pm 
Offline
Forum Members
Forum Members

Joined: Thu Jan 14, 2010 4:43 pm
Posts: 30
For completion,
the CMS APP test for https_request also needs to test HTTP_X_FORWARDED_PROTO for 'https' presence.
One could set $SERVER['HTTPS'] to "on" in index too. But not very elegant (same for REMOTE_ADDR).


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Hosting Nation - Managed CMSMS Hosting