New HTTPServer.pm - Real IP no longer work

[aychprox]

Hi,

Previously i have

if ($r->header('X-Forwarded-For')) {
$reqstate->{peer_host} = $r->header('X-Forwarded-For');
}

before the auth_handler in HTTPServer.pm to get the real IP from reverse proxy.

Unfortunately the new HTTPServer.pm no longer work.
Any advise?

 

[aychprox]

not to bump actually but hope someone can point me to the right direction.

 

[dietmar]

Unfortunately the new HTTPServer.pm no longer work.

What is the problem exactly?

 

[aychprox]

i am using reverse proxy.
so any bruteforce on admin / user login, i can get the real IP at pve-proxy in stead of getting the nginx reverse proxy IP.

user <-> nginx reverse proxy <-> proxmox node

proxmox node capture failed login log and trigger fail2ban to send command to nginx reverse proxy to drop the connection.

With the new HTTPServer.pm doesn't work anymore and proxmox node only logged nginx LAN IP rather than the attacker IP.

 

[fabian]

if you mean that you previously had this patched in to HTTPServer.pm , you will need to rebase your patch(es) - a big part of the code was factored into a new git repository/package: https://git.proxmox.com/?p=pve-http-server.git;a=summary

 

[aychprox]

if you mean that you previously had this patched in to HTTPServer.pm , you will need to rebase your patch(es) - a big part of the code was factored into a new git repository/package: https://git.proxmox.com/?p=pve-http-server.git;a=summary

i am not programmer ... no idea.
since rpcenv changed to subclass, this is something I need to learn to modify following code to match new HTTPServer.pm


if ($r->header('X-Forwarded-For')) {
$reqstate->{peer_host} = $r->header('X-Forwarded-For');
}

hopefully someone can work this out.

 

[n1ghtm4r3]

Sorry for grave digging,

I'm having the exact same problem , tried the above in HTTPServer.pm but than i saw that it didn't work anymore,
Does anyone know the proper solution to this? ,
Extra info: i'm using nginx as a reverse proxy and i wouldn't even know where to start to get it working.

 

[n1ghtm4r3]

Sorry for the bump

 

[fabian]

look at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1200ff

 

[Orphee]

Hello,

I was facing the same issue...

Thanks you @fabian who pointed were to look at.

So inside : /usr/share/perl5/PVE/APIServer/AnyEvent.pm

my ($rel_uri, $format) = &$split_abs_uri($path, $self->{base_uri});
if (!$format) {
$self->error($reqstate, HTTP_NOT_IMPLEMENTED, "no such uri");
return;
}

if ($request->header('X-Forwarded-For')) {
$reqstate->{peer_host} = $request->header('X-Forwarded-For');
}

eval {
$auth = $self->auth_handler(
$method,
$rel_uri,
$ticket,
$token,
$api_token,
$reqstate->{peer_host}
);
};

I added the text in red before the "eval" line 1484

 

[garnoux]

Is it possible to do the same with PROXMOX Backup Server ?

 

[fabian]

not without recompiling the binaries (it's written in Rust). feel free to file an enhancement request at https://bugzilla.proxmox.com , it might be doable as opt-in feature that doesn't require manual patching