OvenMediaEngine icon indicating copy to clipboard operation
OvenMediaEngine copied to clipboard

Published 20 hours ago verified publisher icon AirenSoft

Wrong ip when using nginx reverse proxy

Open ifamirhasan opened this issue 3 years ago • 7 comments

PROBLEM

I'm using nginx to reverse proxy signaling phase of webrtc every thing is ok but I get wrong ip in admission webhook. it is local ip. Also I checked the logs and I saw both local ip and my real ip.

Screen Shot 1400-09-29 at 5 46 01 AM

this is my nginx config:

location /live/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_redirect off;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_pass http://ome:3333;
}

ifamirhasan avatar Dec 20 '21 02:12 ifamirhasan

If nginx is proxying, only nginx's IP is known to OME. There is no way to know the IP of the client.

getroot avatar Dec 20 '21 03:12 getroot

there exist X-REAL-IP and X-FORWARDED-FOR headers for such cases. Please add support for getting the ip address from these headers, if ome is used behind a reverse proxy or http load balancer.

basisbit avatar Dec 29 '21 02:12 basisbit

@basisbit Thanks for letting me know about X-REAL-IP, X-FORWAREDED-FOR.

In order for OME to support this without any security problems, if the user enables X-REAL-IP in the AdmissionWebhooks setting of Server.xml, it will be necessary to set the proxy IP as a required option and allow only connections from nginx.

getroot avatar Dec 31 '21 05:12 getroot

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 02 '22 13:06 stale[bot]

*bump* Keeping this open because it is a rather common use case, and having the error log contain the public IPv4/IPv6 address can be important for legal reasons.

basisbit avatar Jun 02 '22 15:06 basisbit

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 01 '22 17:08 stale[bot]

bump

basisbit avatar Aug 01 '22 21:08 basisbit

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Sep 30 '22 22:09 stale[bot]

bump

For resolve security you can use case of nginx. Explain Add to config option trustedProxy if proxy in list trustedProxy (X-FORWARDED-FOR) use ip from X-REAL-IP

koss89 avatar Dec 26 '23 22:12 koss89