[SOLVED] CMSMS behind proxy, client Ip and https

General project discussion. NOT for help questions.
Locked
atz6975
Forum Members
Forum Members
Posts: 34
Joined: Thu Jan 14, 2010 4:43 pm

[SOLVED] CMSMS behind proxy, client Ip and https

Post by atz6975 »

Hi,
just setup cmsms (2.2.8 ) behind haproxy.
Is there a way in config to specify a server variable ($_SERVER["HTTP_X_FORWARDED_FOR"]) or some custom function to retrieve the source client ip address?
The first usage would be to put the site in maintenance and second would be to get the right ip in forms.
In the same vain would be to detect https from header (X-Forward-Proto https) to work in https mode.
Recently I found hosting many cms sites behind proxy very convenient in order to manage let's encrypt ssl and various other aspects.
I could maybe try to modify the code in a dirty way, but probably it's worth discussing this a bit. I have not found any mention of this before or in modules.
Thanks for your ideas.
Last edited by atz6975 on Tue Jan 15, 2019 2:05 am, edited 1 time in total.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: CMSMS behind proxy, client Ip and https

Post by calguy1000 »

PHP $_SERVER variables are typically set as headers by the HTTP server or proxy engine. CMSMS reads them, there's no reason to need to set them in HTTPS.

I have never used haproxy, but a quick google for setting headers for haproxy found this:

https://serverfault.com/questions/72215 ... or-headers
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
atz6975
Forum Members
Forum Members
Posts: 34
Joined: Thu Jan 14, 2010 4:43 pm

Re: CMSMS behind proxy, client Ip and https

Post by atz6975 »

Hi, thx for taking the time.
I might have chosen bad word...specify.
I was wondering how would CMSMS "know" where to look for the IP address because right now it doesn't look for it.
So "specifying" the $_SERVER (or as you rightfully mention, the header) variable name to look for was meant to "tell" CMSMS to look into those variables to get the end IP or the end protocol (https in that case and force the site to https if wanted...).
Most common HAproxy config sets these two headers :
- X-Forwarded-Proto to inform about the requested protocol (http or https)
- HTTP_X_FORWARDED_FOR to inform about the source ip list (chaining proxys...https://en.wikipedia.org/wiki/X-Forwarded-For)

These is not a real standard but tends to be majority with HAproxy (AWS, OVH....ip loadbalancers).

Here is some exemple that is more thorough probably : https://www.chriswiegman.com/2014/05/ge ... dress-php/

Thanks.
atz6975
Forum Members
Forum Members
Posts: 34
Joined: Thu Jan 14, 2010 4:43 pm

[SOLVED] CMSMS behind proxy, client Ip and https

Post by atz6975 »

Own reply here.....You actually "attempt to retrieve the IP address...and attempt to compensate for proxy servers" in get_real_ip() function.

Now I have to find why it doesn't work.

My guess is because you expect the ["REMOTE_ADDR"], to be empty, when it is not (it is the proxy's address).

Does it make sense or does this help?
Let me know if I need to try something or write more here?

I think this is solved in my case.

Thanks.
calguy1000
Support Guru
Support Guru
Posts: 8169
Joined: Tue Oct 19, 2004 6:44 pm
Location: Fernie British Columbia, Canada

Re: [SOLVED] CMSMS behind proxy, client Ip and https

Post by calguy1000 »

We really only use the IP address for logging admin actions.
In our experience (not like we actively go out and test every version and configuration of multiple proxy engines)... only one of the HTTP headers was set containing a client IP address... so we only really had to find the non-empty one.

I suggest if you want to use this feature you remove the REMOTE_ADDR header in your proxy server setup.

For HTTPS we check $_SERVER['HTTPS'] to ensure that it is not empty and does not explicitly have the value 'off'.
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.
atz6975
Forum Members
Forum Members
Posts: 34
Joined: Thu Jan 14, 2010 4:43 pm

Re: [SOLVED] CMSMS behind proxy, client Ip and https

Post by atz6975 »

Sorry was sick.
The IP is used in forms and maintenance management in my knowledge of CMSMS.
While the proxy allows me to set maintenance mode on IP also and can mitigate the issue, Form Builder gets fooled by the current client IP management and wrongfully reports the proxy IP.
Same would go for IP base location services (if provided by standard CMSMS)

Probably by not assuming that Remote Address is empty we could make CMSMS work even more seamlessly on more proxys?

I'm ok to patch my CMSMS local code, so this is by no mean something strategic or world bettering.

I could suggest some code in bug report if the team finds this worth their time?
atz6975
Forum Members
Forum Members
Posts: 34
Joined: Thu Jan 14, 2010 4:43 pm

Re: [SOLVED] CMSMS behind proxy, client Ip and https

Post by atz6975 »

Hi dev Team,
please let me revive this topic as I checked last release code (2.2.10 mentioned some minor get_real_ip love...).
You still check for empty REMOTE_ADDR....too bad as this requires further configuration in proxies to empty it. I doubt it is an accountable practice.
I'm not sure why it would break you code to test for the presence of X_FORWARDED_FOR (because it is accountable as per all major proxies doc). But I don't have your experience and I'm grateful for CMSMS as it is.

However, this is moot in the case of maintenance because the is_sitedown() function didn't get all your love and still has hard coded reference to REMOTE_ADDR and fails to respect the exclude list values.

Hope this helps in making the behaviour consistent and maybe influence your code base in a constructive way.


Anyway, thank you for your attention.
atz6975
Forum Members
Forum Members
Posts: 34
Joined: Thu Jan 14, 2010 4:43 pm

Re: CMSMS behind proxy, client Ip and https

Post by atz6975 »

For completion,
the CMS APP test for https_request also needs to test HTTP_X_FORWARDED_PROTO for 'https' presence.
One could set $SERVER['HTTPS'] to "on" in index too. But not very elegant (same for REMOTE_ADDR).
Locked

Return to “General Discussion”