My clients http requests go through Squid proxy server to connect to backend apache web server. A php script in the backend webserver gets clients' real ip address as below:
if (!empty($_SERVER['HTTP_CLIENT_IP']))
{
$ip_address = $_SERVER['HTTP_CLIENT_IP'];
}
//whether ip is from proxy
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
//whether ip is from remote address
else
{
$ip_address = $_SERVER['REMOTE_ADDR'];
}
I set the Squid proxy server with the following parameters in order to get the clients real ips:
via on
request_header_access X-Forwarded-For allow all
forwarded_for on
follow_x_forwarded_for allow localhost
I expected to get the real clients' ips through the parameter $_SERVER['HTTP_X_FORWARDED_FOR']. However, when I checked the values from clients' browsers, only remote_addr has values:
http_client_ip: undefined
http_x_forwarded_for: undefined
remote_addr => squid proxy server ip address
I suspect the issue may locate in my squid proxy server setup, but have no idea which Squid configuration parameters should I change. Appreciated your help in advance.
With Regards
Steve
Related
I am running a Groovy script to capture traffic over proxy port in OWASP ZAP.
For https site, I am setting the proxy as given below and I can see the traffic in ZAP when I run my script.
System.setProperty('https.proxyPort', '8083')
System.setProperty('https.proxyHost', '127.0.0.1')
For http site, I am setting the proxy as given below but I can not see the traffic.
System.setProperty('http.proxyPort', '8083')
System.setProperty('http.proxyHost', '127.0.0.1')
The same settings although work fine when configured on Chrome. I have tried using the IP address instead of 127.0.0.1 but that also did not help. What could be going on wrong here ?
I have build a Go server using Echo framework, i get TLS certificades and a domain name, but when i try a request i get the message "Client sent an HTTP request to an HTTPS server." and when i try acces the server from the IP address of the EC2 using the port 443, it says that the connection is not secure:
And when i change the server to the port 80 to acces through the domain name, i get the following error:
I'm starting the server using the StartTLS func
e.Logger.Fatal(e.StartTLS(":80", "/etc/letsencrypt/live/anltcsprod.enrtt.com/fullchain.pem", "/etc/letsencrypt/live/anltcsprod.enrtt.com/privkey.pem"))
Is it something wrong with my domain or certificade?
Port 80, by default, communicates over HTTP. 443 is reserved for HTTPS traffic. Assuming nothing else is wrong, you should be able to simply change your e.StartTLS() to this:
e.Logger.Fatal(e.StartTLS(":443", "/etc/letsencrypt/live/anltcsprod.enrtt.com/fullchain.pem", "/etc/letsencrypt/live/anltcsprod.enrtt.com/privkey.pem"))
For example localhost:4000
Instead use https://localhost:4000
I'm trying to use Fiddler to capture traffic that comes to my machine on its external ip address, and redirect it to the loopback interface without affecting the host header.
I have added the following to the OnBeforeRequest method:
if (oSession.HostnameIs("MyMachineName")){
oSession.bypassGateway = true;
oSession["x-overrideHost"] = "localhost";
}
This works fine for http traffic: I do indeed see a request to http://MyMachineName hit the loopback adaptor with its host header intact.
However, when intercepting https traffic I get the following in the response raw view:
fiddler.network.https> HTTPS handshake to auth.time-wise.net failed. System.IO.IOException The handshake failed due to an unexpected packet format.
I have Fiddler configured to capture and decrypt https traffic.
Does anyone know why this problem occurs and how it can be remedied?
Edit: in response to Eric's request for more information
Fiddler is running as a proxy (i.e. as standard), listening on port 8888.
The clients are (currently) web browsers on the same machine, and so are automatically using the Fiddler proxy, as they've picked up the change in default proxy.
You've left out some important details (e.g. what port is Fiddler running on, and how did you configure the remote client to send its traffic to Fiddler?)
Having said that, you will probably want to change your use of x-overrideHost to x-overrideHostname such that the port number of the traffic being retargeted is preserved.
I have a EC2 linux instance with a tomcat webapp (uses spring mvc) running on port 8081. There is no load balancer in place. I've setup the instance security group on the aws console to open up port 80. And on the ec2 inststance, I'm routing requests from port 80 to 8081 by doing
sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8081
I need to access client's ip address (to determine their country). And so I'm looking for the x-forwarded-for and x-real-ip headers in the HttpServletRequest object.
The following always returns null when running on ec2, but returns valid values when running the same webapp on my local machine (and accessing via public ip using ngrok).
request.getHeader("x-forwarded-for") or request.getHeader("x-real-ip")
Is there any additional setup to be done on the AWS console or the EC2 instance to get the headers in the webapp? Or is the iptables routing messing up with the headers?
In the case of your local testing, it's actually the ngrok.com service that's adding the X-Real-Ip and X-Forwarded-Proto headers, see this comment from the creator for instance.
In your EC2 deployment, these headers might be added by a load balancer or reverse proxy, such an ELB, if you had one in place, but you state there is none.
In this case, you would need to look at the request's source IP address to determine its origin.
For development, you could do something like
request.getHeader("x-forwarded-for") or request.getRemoteAddr()
but this would leave you vulnerable to clients spoofing the X-Forwarded-For header. You should only trust these headers if the true remote address of the request is a reverse proxy or load balancer that you trust, such as one you control or a partner if you're using a CDN or third party DDoS protection.
http://ipfuck.paulds.fr/
We've been recently getting hammered by this Firefox plug-in. It sends a fake IP in the headers so when our nginx web server picks up the IP it is a fake one.
Is there any way to get a real IP address or block out requests that have this plug-in installed?
There is actually no client IP entries in any HTTP Headers. There are only some un-official proxy headers which are added to a request, so that a proxy server can tell you the real ip of the connecting client (since the tcp socket will only reveal the IP address of the proxy server).
The plugin you linked to adds those proxy headers, to "fake" a proxy request, by adding a X-Real-IP: 1.2.3.4 or X-Forwarded-For: 1.2.3.4 header to the request. But no one forces you to use that IP address (which can be fake, like the 1.2.3.4 example here), you can always use the IP address of the socket that initiated the connection - which will be the client's real IP address if he uses the mentioned plugin.
Within the location section of your nginx configuration, you get the socket IP address through the $remote_addr variable. To retrieve the "fake" IP address, you can use $http_x_forwarded_for or $http_x_real_ip variable.
If you are using any application/cgi backend, you usually can examine the full headers and the socket IP address (i.e. in PHP you should check $_REQUEST and $_HEADERS variables)