Giters

drakkan / sftpgo

Full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob

Home Page:https://sftpgo.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug]: X-Forwarded-For header is not respected

dcherniv opened this issue · comments

commented

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration issue.
  • This issue is not already reported on Github (I've searched it).

Bug description

I think x-forwarded-for is not being utilized properly by sftpgo. When i set the following env vars:

        - name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_PROXY_ALLOWED__0
          value: 10.12.0.0/16
        - name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER
          value: X-Forwarded-For

nothing changes in the log files. I still see the remote_addr as the address of the ALB that request comes from:

{"level":"info","time":"2024-01-09T01:22:00.602","sender":"httpd","local_addr":"10.12.11.171:8080","method":"GET","proto":"HTTP/1.1","remote_addr":"10.12.0.198:3538","request_id":"sftpgo-b5c4d5dd8-jjv9h/n2OhnCQx9y-000015","uri":"http://REDACTED/web/admin/users","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36","resp_status":200,"resp_size":33462,"elapsed_ms":16}

note that 10.12.0.198 is an address from the ALB that fronts the SFTPGO server. It would have been not a big deal but the problem is that JWT token given out by SFTPGO to the browser has an IP Address in the AUD field.
E.G.

{
  "aud": [
    "WebAdmin",
    "10.12.0.198"
  ],
  "exp": 1704764482,
  "jti": "REDACTED",
  "nbf": 1704763252,
  "permissions": [
    "*"
  ],
  "sub": "REDACTED",
  "username": "sftpadmin"
}

Since the ALB has multiple IPs, when IP eventually rotates the user is booted out of the UI console.

Steps to reproduce

  1. Provision an SFTPGO server
  2. Set up an ALB with at least two zones
  3. Add sftpgo server as a target group
  4. login to web admin
  5. Wait a little bit and issue some requests. Wait for the ALB ip to switch over to the other IP
  6. User is logged out.

Expected behavior

X-Forwarded-For should be respected if SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER is set. It should be logged in the remote_addr field and used in the JWT token

SFTPGo version

SFTPGo 2.5.4-cc381443-2023-07-15T07:58:42Z +metrics +azblob +gcs +s3 +bolt +mysql +pgsql +sqlite -unixcrypt +portable

Data provider

Postgres

Installation method

Other

Configuration

Config file is vanilla the following env overriden

        - name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_PROXY_ALLOWED__0
          value: 10.12.0.0/16
        - name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER
          value: X-Forwarded-For

Relevant log output

No response

What are you using SFTPGo for?

Private user, home usecase (home backup/VPS)

Additional info

No response

commented

Whoever runs into this issue. The problem was the incorrect environment variable key format.
To specify client_proxy_header use the following variables

  - name: SFTPGO_HTTPD__BINDINGS__0__PROXY_ALLOWED
    value: "0.0.0.0/0"
  - name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER
    value: "X-Forwarded-For"