[
https://issues.apache.org/jira/browse/GUACAMOLE-838?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman closed GUACAMOLE-838.
-----------------------------------
Resolution: Invalid
Glad you got it resolved [~computergeek125].
> Guacamole reports incorrect IP when X-Forwarded-For contains multiple
> addresses
> -------------------------------------------------------------------------------
>
> Key: GUACAMOLE-838
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-838
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-client
> Affects Versions: 1.0.0
> Environment: Guacamole version: 1.0.0
> Tomcat: tomcat-7.0.76-9.el7_6.noarch
> nginx: nginx-1.16.0-1.el7.ngx.x86_64
> OS: CentOS Linux release 7.6.1810 (Core)
> Reporter: Ryan S
> Priority: Minor
> Labels: security
>
> Somewhere in the ballpark of when I patched from an 0.9.14 release to 1.0.0,
> I noticed that my connection history was showing localhost instead of the
> real inbound IP address. Since I also patched my OS right about this point,
> I'm partial to blaming an Nginx update for the change. This might have been
> an issue in earlier versions. However, I believe there is still a bug to be
> fixed here.
> My system has two reverse proxies in the chain before it gets to Guacamole:
> {code:java}
> Cloudflare ---[ Argo Tunnel ]---> Nginx ----> Tomcat
> {code}
> As such, with the current version of Nginx, the `X-Forwarded-For` header
> contains multiple values: the real IP that is trying to connect and the IPv6
> localhost address the Argo connecting from. In the Active Sessions and
> History view, Guacamole reports that the connecting IP is ::1, the final IP
> in the proxy chain, instead of the real IP that is connected to Cloudflare.
> For testing purposes, this type of setup could probably be emulated with two
> nginx reverse proxies running on the same node.
> Would it be possible to update this behavior to reflect the real IP in a
> chain containing multiple proxies? Second, in terms of security auditing,
> since the info is available, would it be possible to also log the full proxy
> path of a request? (I can open this second part as a separate feature request
> if you want)
> Additional info:
> I did a bit of sleuthing using netcat and procured an example of what the
> headers look like in my path
> The request that Tomcat receives from nginx: (a.b.c.d is the IP I am testing
> from)
> {code:java}
> GET /guacamole-1.0.0/ HTTP/1.1
> X-Forwarded-For: a.b.c.d, ::1
> Connection: keep-alive
> Host: 127.0.0.1:8080
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
> Accept-Encoding: gzip
> Accept-Language: en-US,en;q=0.9
> Cache-Control: max-age=0
> Cdn-Loop: cloudflare
> Cf-Connecting-Ip: a.b.c.d
> Cf-Ipcountry: US
> Cf-Ray: xxxxxxxxxxxxxxx-xxx
> Cf-Visitor: {"scheme":"https"}
> Cf-Warp-Tag-Id: [redacted]
> Cookie: __cfduid=[redacted]
> Dnt: 1
> Upgrade-Insecure-Requests: 1
> X-Forwarded-Proto: https
> {code}
> The request that nginx receives from Cloudflare Argo Tunnel:
> {code:java}
> GET / HTTP/1.1
> Host: guac.example.com
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
> Accept-Encoding: gzip
> Accept-Language: en-US,en;q=0.9
> Cache-Control: max-age=0
> Cdn-Loop: cloudflare
> Cf-Connecting-Ip: a.b.c.d
> Cf-Ipcountry: US
> Cf-Ray: xxxxxxxxxxxxxxx-xxx
> Cf-Visitor: {"scheme":"https"}
> Cf-Warp-Tag-Id: [redacted]
> Connection: keep-alive
> Cookie: __cfduid=[redacted]; cf_use_ob=0
> Dnt: 1
> Upgrade-Insecure-Requests: 1
> X-Forwarded-For: a.b.c.d
> X-Forwarded-Proto: https
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
