You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When accessing the OPNsense WebGui via an reverse proxy the audit log contains the proxy IP address, not the client IP.
`
This is a Request via the reverse proxy on 127.0.0.1:
2024-11-25T22:30:56 | Notice | audit | /index.php: Successful login for user 'root' from: 127.0.0.1
This is a request from the same client to the WebGui directly:
2024-11-25T22:31:24 | Notice | audit | /index.php: Successful login for user 'root' from: 192.168.10.1
`
Minimal example setup:
Client --> Caddy Reverse Proxy on OPNsense (os-caddy) on :443 --> OPNsense on :8443
The issue is based on the fact, that we use $_SERVER['REMOTE_ADDR'] in the authgui.inc everywhere:
auth_log(sprintf("Successful login for user '%s' from: %s", $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']), LOG_NOTICE);
I couldn't find an older version handling that different, so it seems this behavour is there forever.
According to this link below we could use HTTP_X_FORWARDED_FOR to get the real client's address. Caddy should already forward this. Only if this is empty we could fallback to REMOTE_ADDR. This should be the right value for 'trusted proxies'.
My final use case would be CrowdSec to be able to block the original client, which therefore must be known in the audit logs.
To Reproduce
Steps to reproduce the behavior:
Go to 'System - Settings - Administration - Web Gui', configure "TCP Port" to 8443, and "HTTP Redirect" to disabled/checked, Alternate host names to the domain used to access the web UI (see 4.)
Go to 'System - Firmware - Plugins', istall os-caddy
Go to 'Services - Caddy Web Server - General', enable Caddy
Go to 'Services - Caddy Web Server - Domains', add a domain which points to the firewall (don't know if you could just use the IP address, that should be possible)
Go to 'Services - Caddy Web Server - HTTP Handlers', add a handler for the domain to Protocol https, Upstream Domain 127.0.0.1, Upstream Port 8443, and to make things easy here set the Checkbox for disable TLS Insecure Skip Verify.
If accessing from WAN, add a firewall rule to allow 443/TCP
Audit log shows 127.0.0.1 instead of your client IP.
Expected behavior
For a setup behind a reverse proxy we should have the client IP address in the audit logs.
Describe alternatives you considered
Two thoughts:
It may be an option to show both addresses (if they are set and differ). Then the log could look like: '/index.php: Successful login for user 'root' from: 192.168.10.1, via: 127.0.0.1'. This may require some follow up work on Crowdsec to recognize this, but it may be worth the effort.
we must have a list of trusted proxies in 'System - Settings - Administration - Web Gui'. Only if a host is in that list we trust and use HTTP_X_FORWARDED_FOR.
Screenshots
Configuration in System
Configuration in Services - Caddy Web Server (3 Screenshots)
I did use the self signed cert in trust pool instead of 'TLS Insecure Skip Verify':
Relevant log files
`
This is a Request via the reverse proxy on 127.0.0.1:
2024-11-25T22:30:56 | Notice | audit | /index.php: Successful login for user 'root' from: 127.0.0.1
This is a request from the same client to the WebGui directly:
2024-11-25T22:31:24 | Notice | audit | /index.php: Successful login for user 'root' from: 192.168.10.1
`
we must have a list of trusted proxies in 'System - Settings - Administration - Web Gui'. Only if a host is in that list we trust and use HTTP_X_FORWARDED_FOR.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
When accessing the OPNsense WebGui via an reverse proxy the audit log contains the proxy IP address, not the client IP.
`
This is a Request via the reverse proxy on 127.0.0.1:
2024-11-25T22:30:56 | Notice | audit | /index.php: Successful login for user 'root' from: 127.0.0.1
This is a request from the same client to the WebGui directly:
2024-11-25T22:31:24 | Notice | audit | /index.php: Successful login for user 'root' from: 192.168.10.1
`
Minimal example setup:
Client --> Caddy Reverse Proxy on OPNsense (os-caddy) on :443 --> OPNsense on :8443
The issue is based on the fact, that we use $_SERVER['REMOTE_ADDR'] in the authgui.inc everywhere:
core/src/www/authgui.inc
Line 184 in 669a602
I couldn't find an older version handling that different, so it seems this behavour is there forever.
According to this link below we could use HTTP_X_FORWARDED_FOR to get the real client's address. Caddy should already forward this. Only if this is empty we could fallback to REMOTE_ADDR. This should be the right value for 'trusted proxies'.
https://stackoverflow.com/a/4594873
My final use case would be CrowdSec to be able to block the original client, which therefore must be known in the audit logs.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
For a setup behind a reverse proxy we should have the client IP address in the audit logs.
Describe alternatives you considered
Two thoughts:
Screenshots
Configuration in System
Configuration in Services - Caddy Web Server (3 Screenshots)
I did use the self signed cert in trust pool instead of 'TLS Insecure Skip Verify':
Relevant log files
`
This is a Request via the reverse proxy on 127.0.0.1:
2024-11-25T22:30:56 | Notice | audit | /index.php: Successful login for user 'root' from: 127.0.0.1
This is a request from the same client to the WebGui directly:
2024-11-25T22:31:24 | Notice | audit | /index.php: Successful login for user 'root' from: 192.168.10.1
`
Additional context
https://stackoverflow.com/a/4594873
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
Environment
OPNsense 24.7.9_1-amd64.
The text was updated successfully, but these errors were encountered: