Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Remote IP not captured correctly

See original GitHub issue

api.py uses request.remote_addr for IP logging when enabled. However, this is incorrect when behind a reverse proxy, even when the proxy attaches a header listing the “real” IP address – the remote_addr is always going to be the proxy’s IP address. Instead, the registration code needs to read something from request.headers.

As a complicating factor, matrix-registration doesn’t actually know if it’s behind a proxy. And if it’s not, it can’t trust even the last element of the X-Forwarded-For header, and should only accept the remote_addr.

There are a few possible solutions, but the approach I took was to concatenate the XFF and the remote IP, as seen in this branch: https://github.com/ZerataX/matrix-registration/compare/master...timmc:timmc/xff

            ips = ', '.join(request.headers.getlist('X-Forwarded-For') + [request.remote_addr]) \
                if config.config.ip_logging else False

…and store the (string) list of IPs instead of a single IP. (Note also the correction to the nginx config. XFF should be chained, not replaced with a single IP.)

System:

OS: Debian 11 Bullseye
python version: 3.9.2
matrix registration version: 663cee1fb6a1bd40f60645d8b25480ac3994963c

Issue Analytics

State:
Created 2 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

1reaction

xelantrocommented, Dec 20, 2021

Btw: so just that you are aware and to link it: #83 request.remote_addr was removed and changed to request.get_remote_address So if my second statement is incorrect and you do need to append it another time, pls swap it

0reactions

timmccommented, Dec 20, 2021

Alternatively, solve both issues by adding a config setting like CLIENT_IP_HEADER = [X-Forwarded-For | X-Real-IP | etc.] that instructs the app that there’s a trusted proxy in front – if not set, use request.remote_addr, and if set, use request.headers.getlist(config.CLIENT_IP_HEADER)[-1].

Top Results From Across the Web

Remote Desktop (RDP) - connects via IP, but not name?

1. Control Panel\All Control Panel Items\Network and Sharing Center · 2.Click on Local Area Network Connection (under Access Type) · 3. Under ...

How To Fix the “Server IP Address Could Not Be Found” Error

First, though, let's make sure your computer and browser are both working as they should be. 1. Check the Basics. Your first task...

Capture client IP addresses in the web server logs behind an ...

To capture the IP addresses of clients in your web server access logs, configure the following: For Application Load Balancers and Classic Load ......

Real Remote (Client) IP Addresses - Fastly Documentation

In this case, the server will see this load balancer or proxy IP address as the remote (client) IP address. To get around...

$_SERVER['REMOTE_ADDR'] not giving the right ip address

IP ::1 is "localhost" in IPv6 version. Your machine is configured with IPv6 - and hence you're getting this IP address.