[Bug]: X-Forwarded-For header is not respected
dcherniv opened this issue · comments
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration issue.
- This issue is not already reported on Github (I've searched it).
Bug description
I think x-forwarded-for is not being utilized properly by sftpgo. When i set the following env vars:
- name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_PROXY_ALLOWED__0
value: 10.12.0.0/16
- name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER
value: X-Forwarded-For
nothing changes in the log files. I still see the remote_addr as the address of the ALB that request comes from:
{"level":"info","time":"2024-01-09T01:22:00.602","sender":"httpd","local_addr":"10.12.11.171:8080","method":"GET","proto":"HTTP/1.1","remote_addr":"10.12.0.198:3538","request_id":"sftpgo-b5c4d5dd8-jjv9h/n2OhnCQx9y-000015","uri":"http://REDACTED/web/admin/users","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36","resp_status":200,"resp_size":33462,"elapsed_ms":16}
note that 10.12.0.198
is an address from the ALB that fronts the SFTPGO server. It would have been not a big deal but the problem is that JWT token given out by SFTPGO to the browser has an IP Address in the AUD field.
E.G.
{
"aud": [
"WebAdmin",
"10.12.0.198"
],
"exp": 1704764482,
"jti": "REDACTED",
"nbf": 1704763252,
"permissions": [
"*"
],
"sub": "REDACTED",
"username": "sftpadmin"
}
Since the ALB has multiple IPs, when IP eventually rotates the user is booted out of the UI console.
Steps to reproduce
- Provision an SFTPGO server
- Set up an ALB with at least two zones
- Add sftpgo server as a target group
- login to web admin
- Wait a little bit and issue some requests. Wait for the ALB ip to switch over to the other IP
- User is logged out.
Expected behavior
X-Forwarded-For should be respected if SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER
is set. It should be logged in the remote_addr field and used in the JWT token
SFTPGo version
SFTPGo 2.5.4-cc381443-2023-07-15T07:58:42Z +metrics +azblob +gcs +s3 +bolt +mysql +pgsql +sqlite -unixcrypt +portable
Data provider
Postgres
Installation method
Other
Configuration
Config file is vanilla the following env overriden
- name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_PROXY_ALLOWED__0
value: 10.12.0.0/16
- name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER
value: X-Forwarded-For
Relevant log output
No response
What are you using SFTPGo for?
Private user, home usecase (home backup/VPS)
Additional info
No response
Whoever runs into this issue. The problem was the incorrect environment variable key format.
To specify client_proxy_header use the following variables
- name: SFTPGO_HTTPD__BINDINGS__0__PROXY_ALLOWED
value: "0.0.0.0/0"
- name: SFTPGO_HTTPD__BINDINGS__0__CLIENT_IP_PROXY_HEADER
value: "X-Forwarded-For"