Not using X-Real-IP

schklom · January 4, 2021, 12:27am

Describe the problem you’re having:
I have TT-RSS setup behind a reverse-proxy, and TT-RSS logs failed logins with the Docker internal IP address instead of the public one shared by the reverse-proxy Traefik.

Here is the log of TT-RSS

Failed login attempt for AAA from 172.21.0.3

This is Docker’s internal IP for TT-RSS.

In more details, the headers X-Real-Ip isn’t used. Nor is RemoteAddr.
Request detail from Traefik to TT-RSS;

Method: POST, URL: {
    Scheme: ,
    Opaque: ,
    User: null,
    Host: ,
    Path: /tt-rss/backend.php,
    RawPath: ,
    ForceQuery: false,
    RawQuery: ,
    Fragment: ,
    RawFragment: 
}, Proto: HTTP/2.0, ProtoMajor: 2, ProtoMinor: 0, Header: {
    Accept: [text/javascript, text/html, application/xml, text/xml, */*],
    Accept-Encoding: [gzip, deflate, br],
    Accept-Language: [en-GB,en;q=0.5],
    Content-Length: [71],
    Content-Type: [application/x-www-form-urlencoded; charset=UTF-8],
    Cookie: [ttrss_widescreen=0; ttrss_sid=12abcd3efg4567hi8jklm800ms],
    Dnt: [1],
    Origin: [https://MYDOMAIN:PORT],
    Te: [trailers],
    User-Agent: [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0],
    X-Forwarded-Host: [MYDOMAIN:PORT],
    X-Forwarded-Port: [port],
    X-Forwarded-Proto: [https],
    X-Forwarded-Server: [ed0c55358b5d],
    X-Prototype-Version: [1.7.3],
    X-Real-Ip: [MYREALIP],
    X-Requested-With: [XMLHttpRequest]
},
ContentLength: 71, 
TransferEncoding: null,
Host: MYDOMAIN:PORT,
Form: null,
PostForm: null,
MultipartForm: null,
Trailer: null,
RemoteAddr: MYREALIP:RANDOMPORT,
RequestURI: /tt-rss/backend.php,
TLS: null

I think this is the source of the problem.
Would it be possible to use the header X-Real-Ip if it’s set, or the header X-Forwarded-For if it’s set, or REMOTE_ADDR if it’s set, or REMOTEADDR if it’s set ? At least with X-Real-Ip being checked first, I’m not sure about the best order for the rest.

I haven’t done any PHP in a long time, but I remember doing checks like this when I learned, so I don’t think it should be difficult to achieve this. If it’s easier for fox, I could attempt going through my old PHP projects and do a pull-request. I don’t think it would be up to professional standards though ^^

If possible include steps to reproduce the problem:
My Traefik config files are fairly standard, and I didn’t change TT-RSS’s config.php manually.

tt-rss version (including git commit id):
Really not sure how to check this, but I just went through the steps here https://git.tt-rss.org/fox/ttrss-docker-compose/src/static-dockerhub

fox · January 4, 2021, 2:54pm

i’ll make a note to take a look at this after new year holidays.

not sure if its a good idea to blindly trust those headers though.

JustAMacUser · January 4, 2021, 7:44pm

What I’ve seen other applications do is allow the admin to define a constant with the header to be used for the “real IP”.

schklom · January 4, 2021, 8:58pm

i’ll make a note to take a look at this after new year holidays.

Thanks

not sure if its a good idea to blindly trust those headers though.

I have 2 ideas that may help:

If you don’t like using headers, you could just check to see which (REMOTEADDR or REMOTE_ADDR) is defined and pick that one.
Currently, you’re picking REMOTE_ADDR and it doesn’t exist with Traefik, it uses the other.
Keep the default settings, but add an option to change which variable (or header) to use in config.php, or perhaps in the options on the webpage directly.

Have good holidays

fox · January 5, 2021, 7:08am

on second thought, since this is a server (not request) header i guess we can actually trust its contents.

X-Real-IP seems to be the standard for last client IP address (while X-Forwarded-For being a chain of IP addresses of which only the last one could be trusted - i would prefer not to bother with).

our default nginx example (in the docker wiki) also passes X-Real-IP so i guess it makes sense to use it, not sure if there’s any point in making it configurable.

e: it looks like REMOTE_ADDR and REMOTEADDR are both a thing (are those?)

e2: https://git.tt-rss.org/fox/tt-rss/commit/a8302fb25316661512951fdf744ac1bae6e94ef6

btw

tt-rss version (including git commit id): Really not sure how to check this

it shows in the preferences.