dd support for X-Forwarded-For header to log correct client IP when behind a proxy

[rlljorge]

Hello,

I’m using the self-service-password tool behind a proxy, and I noticed that the audit logs are showing the proxy’s IP address instead of the client’s real IP. Many applications support reading the X-Forwarded-For header in such scenarios to correctly log the client’s original IP.

Would it be possible to add native support for this feature?

For example, in the configuration file (config.inc.php), a new option could be added to enable this functionality, something like:

$use_forwarded_for = true;

And the system could then check if the X-Forwarded-For header exists and use that for logging the client’s IP.

if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else {
    $ip = $_SERVER['REMOTE_ADDR'];
}

Best Regards,

Rodrigo

[dgeo]

Hi @rlljorge and all here,
In the case this would be implemented, we need a list of trusted reverse-proxies to avoid (bad) clients obfuscating their IP in audit logs by adding this header with garbage values.
And the header itself should be configurable.

Alternative: Here we use the web server itself make this job (realip module for nginx, or remoteIp for apache) to make original IP available to php without hassle.

[davidcoutadeur]

Hello,

Usually, we do this with a webserver configuration. However it can be a good option. If you absolutely need this feature in SSP, you can open an issue and propose a PR.

Regards

[rlljorge]

Hello!

I would like to provide more details about my use case.

I am using the Docker version in a Kubernetes cluster that is running NGINX Ingress.

The Ingress receives the valid IP and forwards it to the headers X-Forwarded-For and X-Real-IP for the Apache in the SSP container.

Since we are dealing with extremely sensitive information, specifically user passwords in LDAP/AD, I believe we should capture the complete IP addressing information for auditing purposes.

I believe many people are migrating their workloads to Docker and Kubernetes. My intention is not to generate unnecessary requests, especially since I don't have knowledge in development, but I can assist better with infrastructure-related issues.

Please let me know your thoughts on this use case. I look forward to hearing from you!

Best Regards,

Rodrigo

[davidcoutadeur]

Hello,

You could mount a custom apache configuration file in the docker image of self-service-password. This custom apache configuration file would get the X-Forwarded-For / X-Real-IP headers and log the final IP of the user.

Else, you can also open an issue and propose a PR if you need this feature integrated directly in ssp code.

Regards,