Describe the problem you’re having:
I have TT-RSS
setup behind a reverse-proxy, and TT-RSS
logs failed logins with the Docker internal IP address instead of the public one shared by the reverse-proxy Traefik
.
Here is the log of TT-RSS
Failed login attempt for AAA from 172.21.0.3
This is Docker’s internal IP for TT-RSS
.
In more details, the headers X-Real-Ip
isn’t used. Nor is RemoteAddr
.
Request detail from Traefik
to TT-RSS
;
Method: POST, URL: {
Scheme: ,
Opaque: ,
User: null,
Host: ,
Path: /tt-rss/backend.php,
RawPath: ,
ForceQuery: false,
RawQuery: ,
Fragment: ,
RawFragment:
}, Proto: HTTP/2.0, ProtoMajor: 2, ProtoMinor: 0, Header: {
Accept: [text/javascript, text/html, application/xml, text/xml, */*],
Accept-Encoding: [gzip, deflate, br],
Accept-Language: [en-GB,en;q=0.5],
Content-Length: [71],
Content-Type: [application/x-www-form-urlencoded; charset=UTF-8],
Cookie: [ttrss_widescreen=0; ttrss_sid=12abcd3efg4567hi8jklm800ms],
Dnt: [1],
Origin: [https://MYDOMAIN:PORT],
Te: [trailers],
User-Agent: [Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0],
X-Forwarded-Host: [MYDOMAIN:PORT],
X-Forwarded-Port: [port],
X-Forwarded-Proto: [https],
X-Forwarded-Server: [ed0c55358b5d],
X-Prototype-Version: [1.7.3],
X-Real-Ip: [MYREALIP],
X-Requested-With: [XMLHttpRequest]
},
ContentLength: 71,
TransferEncoding: null,
Host: MYDOMAIN:PORT,
Form: null,
PostForm: null,
MultipartForm: null,
Trailer: null,
RemoteAddr: MYREALIP:RANDOMPORT,
RequestURI: /tt-rss/backend.php,
TLS: null
I think this is the source of the problem.
Would it be possible to use the header X-Real-Ip
if it’s set, or the header X-Forwarded-For
if it’s set, or REMOTE_ADDR
if it’s set, or REMOTEADDR
if it’s set ? At least with X-Real-Ip
being checked first, I’m not sure about the best order for the rest.
I haven’t done any PHP in a long time, but I remember doing checks like this when I learned, so I don’t think it should be difficult to achieve this. If it’s easier for fox, I could attempt going through my old PHP projects and do a pull-request. I don’t think it would be up to professional standards though ^^
If possible include steps to reproduce the problem:
My Traefik
config files are fairly standard, and I didn’t change TT-RSS
’s config.php
manually.
tt-rss version (including git commit id):
Really not sure how to check this, but I just went through the steps here https://git.tt-rss.org/fox/ttrss-docker-compose/src/static-dockerhub