Ryan Smith created GUACAMOLE-838: ------------------------------------ Summary: Guacamole reports incorrect IP when X-Forwarded-For contains multiple addresses Key: GUACAMOLE-838 URL: https://issues.apache.org/jira/browse/GUACAMOLE-838 Project: Guacamole Issue Type: Bug Components: guacamole-client Affects Versions: 1.0.0 Environment: Guacamole version: 1.0.0 Tomcat: tomcat-7.0.76-9.el7_6.noarch nginx: nginx-1.16.0-1.el7.ngx.x86_64 OS: CentOS Linux release 7.6.1810 (Core) Reporter: Ryan Smith
Somewhere in the ballpark of when I patched from an 0.9.14 release to 1.0.0, I noticed that my connection history was showing localhost instead of the real inbound IP address. Since I also patched my OS right about this point, I'm partial to blaming an Nginx update for the change. This might have been an issue in earlier versions. However, I believe there is still a bug to be fixed here. My system has two reverse proxies in the chain before it gets to Guacamole: {code:java} Cloudflare ---[ Argo Tunnel ]---> Nginx ----> Tomcat {code} As such, with the current version of Nginx, the `X-Forwarded-For` header contains multiple values: the real IP that is trying to connect and the IPv6 localhost address the Argo connecting from. In the Active Sessions and History view, Guacamole reports that the connecting IP is ::1, the final IP in the proxy chain, instead of the real IP that is connected to Cloudflare. For testing purposes, this type of setup could probably be emulated with two nginx reverse proxies running on the same node. Would it be possible to update this behavior to reflect the real IP in a chain containing multiple proxies? Second, in terms of security auditing, since the info is available, would it be possible to also log the full proxy path of a request? (I can open this second part as a separate feature request if you want) Additional info: I did a bit of sleuthing using netcat and procured an example of what the headers look like in my path The request that Tomcat receives from nginx: (a.b.c.d is the IP I am testing from) {code:java} GET /guacamole-1.0.0/ HTTP/1.1 X-Forwarded-For: a.b.c.d, ::1 Connection: keep-alive Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Cdn-Loop: cloudflare Cf-Connecting-Ip: a.b.c.d Cf-Ipcountry: US Cf-Ray: xxxxxxxxxxxxxxx-xxx Cf-Visitor: {"scheme":"https"} Cf-Warp-Tag-Id: [redacted] Cookie: __cfduid=[redacted] Dnt: 1 Upgrade-Insecure-Requests: 1 X-Forwarded-Proto: https {code} The request that nginx receives from Cloudflare Argo Tunnel: {code:java} GET / HTTP/1.1 Host: guac.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip Accept-Language: en-US,en;q=0.9 Cache-Control: max-age=0 Cdn-Loop: cloudflare Cf-Connecting-Ip: a.b.c.d Cf-Ipcountry: US Cf-Ray: xxxxxxxxxxxxxxx-xxx Cf-Visitor: {"scheme":"https"} Cf-Warp-Tag-Id: [redacted] Connection: keep-alive Cookie: __cfduid=[redacted]; cf_use_ob=0 Dnt: 1 Upgrade-Insecure-Requests: 1 X-Forwarded-For: a.b.c.d X-Forwarded-Proto: https {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)