Ryan Smith created GUACAMOLE-838:
------------------------------------
Summary: Guacamole reports incorrect IP when X-Forwarded-For
contains multiple addresses
Key: GUACAMOLE-838
URL: https://issues.apache.org/jira/browse/GUACAMOLE-838
Project: Guacamole
Issue Type: Bug
Components: guacamole-client
Affects Versions: 1.0.0
Environment: Guacamole version: 1.0.0
Tomcat: tomcat-7.0.76-9.el7_6.noarch
nginx: nginx-1.16.0-1.el7.ngx.x86_64
OS: CentOS Linux release 7.6.1810 (Core)
Reporter: Ryan Smith
Somewhere in the ballpark of when I patched from an 0.9.14 release to 1.0.0, I
noticed that my connection history was showing localhost instead of the real
inbound IP address. Since I also patched my OS right about this point, I'm
partial to blaming an Nginx update for the change. This might have been an
issue in earlier versions. However, I believe there is still a bug to be fixed
here.
My system has two reverse proxies in the chain before it gets to Guacamole:
{code:java}
Cloudflare ---[ Argo Tunnel ]---> Nginx ----> Tomcat
{code}
As such, with the current version of Nginx, the `X-Forwarded-For` header
contains multiple values: the real IP that is trying to connect and the IPv6
localhost address the Argo connecting from. In the Active Sessions and History
view, Guacamole reports that the connecting IP is ::1, the final IP in the
proxy chain, instead of the real IP that is connected to Cloudflare.
For testing purposes, this type of setup could probably be emulated with two
nginx reverse proxies running on the same node.
Would it be possible to update this behavior to reflect the real IP in a chain
containing multiple proxies? Second, in terms of security auditing, since the
info is available, would it be possible to also log the full proxy path of a
request? (I can open this second part as a separate feature request if you want)
Additional info:
I did a bit of sleuthing using netcat and procured an example of what the
headers look like in my path
The request that Tomcat receives from nginx: (a.b.c.d is the IP I am testing
from)
{code:java}
GET /guacamole-1.0.0/ HTTP/1.1
X-Forwarded-For: a.b.c.d, ::1
Connection: keep-alive
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Cdn-Loop: cloudflare
Cf-Connecting-Ip: a.b.c.d
Cf-Ipcountry: US
Cf-Ray: xxxxxxxxxxxxxxx-xxx
Cf-Visitor: {"scheme":"https"}
Cf-Warp-Tag-Id: [redacted]
Cookie: __cfduid=[redacted]
Dnt: 1
Upgrade-Insecure-Requests: 1
X-Forwarded-Proto: https
{code}
The request that nginx receives from Cloudflare Argo Tunnel:
{code:java}
GET / HTTP/1.1
Host: guac.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Cdn-Loop: cloudflare
Cf-Connecting-Ip: a.b.c.d
Cf-Ipcountry: US
Cf-Ray: xxxxxxxxxxxxxxx-xxx
Cf-Visitor: {"scheme":"https"}
Cf-Warp-Tag-Id: [redacted]
Connection: keep-alive
Cookie: __cfduid=[redacted]; cf_use_ob=0
Dnt: 1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: a.b.c.d
X-Forwarded-Proto: https
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
