Currently, our phpbb setup is behind a reverse proxy. All users IP addresses logged in database are then the proxy IP (127.0.0.1 here). We need to fix this so that the user IP is logged instead. Rationale: French law requires us to store for year access/action logs from users, and we need to have the correct IP address there.
Two solutions so far: - package, install and use mod_rpaf - patch phpbb code to handle X-Forwarded-For header
Assignee: mageia-webteam => sysadmin-bugs
I'm not sure about mod rpaf after seeing this king of bug : http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683984 About phpbb patch, it's only a 2 lines changes to use X-Forwarded-For header for the IP. A little more if we add it as a configurable option in the admin panel, but that should be doable, and I think upstream would be interested by this patch.
CC: (none) => boklm
Assignee: sysadmin-bugs => forums-bugs
@ Thomas Is my memory correct that it was decided many months ago that you'd be the sysadmin in charge of communicating with the forums admin? This bug was originally assigned to sysadmin team by rda. Later it was re-assigned to forums team. To the best of my knowledge, forums admin does not have enough rights to solve this, so asking for your help. Can this bug be assigned to you, please?
CC: boklm => doktor5000, isis2000, maat-ml, marja11, tmb
CC: (none) => eeeemail
Assigning back to sysadmin team, because, to the very best of my knowledge, only sysadmin team can solve this. @ rda Should the status, for now, be changed to UNCONFIRMED, because of http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf (Court of Justice of the European Union declares the Data Retention Directive to be invalid) ? I don't have time to really dig into that, only read the headlines, so I have no real clue which impact that might have on French data-retention laws.
Assignee: forums-bugs => sysadmin-bugs
This also prevents banning the IP of a user without banning everyone. The code is in includes/session.php: // Why no forwarded_for et al? Well, too easily spoofed. With the results of my recent requests // it's pretty clear that in the majority of cases you'll at least be left with a proxy/cache ip. $this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : ''; $this->ip = preg_replace('# {2,}#', ' ', str_replace(',', ' ', $this->ip)); // split the list of IPs $ips = explode(' ', trim($this->ip)); // Default IP if REMOTE_ADDR is invalid $this->ip = '127.0.0.1'; In our case we could probably handle X-Forwarded-For but we should make sure we drop existing ones in the proxying apache.
CC: (none) => pterjan
There is also https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
Hello, If we cant the best approach is to make our proxy transparent because sometimes users hide behind proxies we and they dont control (ISP proxies) -> If we want to have a fully working IP ban system we need to access Both ORIGINAL FORWARDED-FOR and ORIGINAL IP If the proxy is compromised we can ban it completely but if it's not that would be cool to be able to ban a user without hitting every nice users behind an ISP proxy Cheers,
You don't need to compromise a proxy. It makes it useless if we allow X-Forwarded-For to be set by the user, which is why it is not supported by phpBB. You can set it to whatever you want without being behind a proxy and change it as much as you want. For example https://addons.mozilla.org/en-GB/firefox/addon/x-forwarded-for-spoofer/ or https://addons.mozilla.org/en-gb/firefox/addon/x-forwarded-for-header/
Hi, Sorry all, at second reading my point was not clear at all :-( Same player tries shoot again: If we have an incoming IP from a official ISP proxy the real IP for us is better taken in the FORWARDED-FOR header. For those cases of header if we only get the proxy IP and ban a user we ban in the same time many clean users. Same thing for big official proxies (Govs, big corps, ISP, universities...) In the other end if we have an incoming connexion from xxxdynamic-adsl.some.isp or whatever IP in a big server farm (Big hosting companies from which everybody can rent a machine) we'd better not try to believe the FORWARDED-FOR headers and only get the ORIGINAL IP The idea behind that requires to have a list of IP for proxies we can trust. Hope i made things a little bit clearer. Cheers,
This bug is starting to be quite critical, if you go to the EN forum you'll see that a crazy guy who started as "joshuya" and was banned by nickname already 3 or 4 times is now starting to impersonate active forum members, including doktor5000 (by naming himself "doktor50000", notice the extra 0).
Priority: Normal => High
Yep, that's a problem.
CC: (none) => root
lol
Needs some more checking, but looks like it is solved: 2016:01:22:08:01 < marja> maat: yesterday i got the impression that the forums are no longer behind a reversed proxy.... did that indeed get solved? 2016:01:22:08:05 < marja> maat: you could see that user "shorewall" wasn't behind a tor node 2016:01:22:08:06 < marja> maat: so you didn't see "127.0.0.1" for him 2016:01:22:08:07 < maat> yup 2016:01:22:08:07 < maat> true you are 2016:01:22:08:07 < maat> oh i love our sysadmin \o/ 2016:01:22:08:08 < maat> true you are for the correct IP getting to the forums machine 2016:01:22:08:09 < marja> and they get logged, so bug 7100 can be closed, I suppose 2016:01:22:08:11 < maat> let's check twice or thrice 2016:01:22:08:11 < maat> before taking the risk of banning the world :P Thanks whoever worked on this!
CC: root => (none)
This is not really solved yet
Hi, This is High priority bug for a good reason. Making Mageia even better than ever is best direction. In order to do right thing, this bug should be examined and fixed as soon as possible. Packagers, please make the status to Assigned when you are working on this. Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it. On October 1st 2020, we will drop priority to normal.