Fix display of remote ip in php log #292
Conversation
|
Looking at code comited during #289 it seems that the idea is to use It will be perfect for a bare metal deployment, and this is probably what @nupplaphil had in mind. But... that won't do with dockerized deployments, as reverse proxies will have some random, changing IP. Options that comes to mind:
|
|
I'm not sure how the best way for the logging of pgp access log is. I'm currently looking at $SERVER(REMOTE_ADDR). When looking in php info of my 2024.12-fpm it shows the correct value for the client. |
|
So, why not set the It would work out of the box, minimized the development effort, and it matches the current apache's |
|
The apache image without fpm does not have problems with logging. Or am I'm missing something? |
|
Yes, |
|
For the php access log I'm struggling with how to do it properly. Just using the Forwarded-For header is no option. |
Currently apache image doesn't log real client IP. To my understanding, everything is ready to have it working, if With that said, neither are bullet proof, at some point admins should do their chores and satinize headers from untrusted networks (internet, IPS proxies), and rely on what they actually own and control: the front facing reverse proxy in friendica docker's pod. |
pgp ? |
I wouldn't assume that Friendca admins are experienced Linux admins. There are hobby users using docker with copied docker-compose files out there because it's easy and they don't know how to properly install software or what else is needed for a professional setup ( reverse proxy, WAF, ids, ...). |
Php. Autoknacker |
Sorry I fail to see how it could hurt to use X-Forwarded-For or X-Real-IP in logs and logs only, like in apache Is it possible that you're taking that particular case too far by using it deep in friendica's php code ? in places that, yes, it must not be trusted ? |
|
I'm pretty sure Apache image will log with the changes above. And it already logged correctly when the reverse proxy set X-Real-Ip.
|
|
Thanks for the clarification, I think I understand now why you are digging into php code, for the "plain php access log" to me it means "php-fpm access format" That's probably me being more admin that dev, but I wouldn't add more complexity to the code, and rather use php-fpm's access format to get |
|
As a dev I'm looking for the correct solution rather than the first coming in mind. I want a simple but secure solution that will work out of the box and does what is expected. This is not about printing X-Forward-For but getting the correct remote address and use it (for logging). And for different scenarios as otherwise the next user will complain soon that it is not working for him. |
|
That's the correct way to do it indeed. Until then I will rely on X-* sanitized headers on my instance, because logging the local ip of the reverse proxy is a no go for me. In the end of the day if friendica app show the real client IP in logs I'm happy with it. |
ne20002
force-pushed
the
feat/forwarded-for-header
branch
from
4b7b2dd to
f4ff69c
Compare
ne20002
changed the title
ne20002
force-pushed
the
feat/forwarded-for-header
branch
from
f4ff69c to
1cc0200
Compare
Based on #289 I create this PR to collect the changes needed to ensure that the original requesters ip is used for logging, etc.
This is what is to be done now:
@m33m33 Looking in Respect Forwarded-For headers friendica#11680 I believe logging the correct ip should be possible already if the Friendica configuration is set accordingly. We need to figure out how to add this correctly to the docker configuration. We may also need to add another optional env variable with a proper default for this.
For the Apache image the mod_remoteip needs to be adjusted.
We need to document how this is working
Co-authored-by: @m33m33