polr icon indicating copy to clipboard operation
polr copied to clipboard

Published 20 hours ago verified publisher icon cydrobolt

Support configuration for reverse proxies

Open marco44 opened this issue 7 years ago • 12 comments

Hi, my configuration is very similar to #204

nginx configuration almost identical as a reverse proxy, apache behind…

The real IP appears in apache's log.

I've done a tcpdump between both servers to be sure. Here is the beginning of the HTTP dialog:

GET /domino HTTP/1.0
Host: dali.bo
X-Real-IP: 78.228.108.65
X-Forwarded-For: 78.228.108.65
X-Forwarded-Proto: https
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
...

So from what I get, everything is ok in the headers, but of course I may have missed something.

The reverse proxy's IP is logged in the clicks table though, instead of the client's IP.

I'm using polr, 2.2.0.

Do you have any idea what I may have missed ?

Thanks a lot for your help

marco44 avatar May 31 '17 15:05 marco44

Take a look at this link to properly configure your instance:

http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html

cydrobolt avatar May 31 '17 15:05 cydrobolt

Ok, but wouldn't it be easier if there was a configuration parameter for this ? Not all users are fluent in symfony…

marco44 avatar Jun 01 '17 08:06 marco44

You're right. I'll keep this issue open and look into creating a better way to implement this.

cydrobolt avatar Jun 01 '17 20:06 cydrobolt

FWIW, I encountered this issue with @marco44. Without configuring setTrustedProxies() as mentioned in your previous link, registering new account cannot work, because of this issue:

Mixed Content: The page at 'https://XXX/signup' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://XXX/signup'. This endpoint should be made available over a secure connection.
base.js:24 Polr

rjuju avatar Jun 02 '17 09:06 rjuju

I'm not sure why that error is occurring, but I'll look into it. Does that have to do with the reCAPTCHA or the form itself?

cydrobolt avatar Jun 02 '17 10:06 cydrobolt

Sorry, I accidentally closed the issue. I've reopened it.

cydrobolt avatar Jun 02 '17 10:06 cydrobolt

We didn't setup any captcha, we preferred to use SETTING_ALLOWED_EMAIL_DOMAINS.

I supposed this check was done to make sure no password was transmitted over non-secure channel is the overall page is secured. I didn't dig into the javascript though.

If that can help, I can disable the fix any time on our server (it's not in production yet) if you need more information or logs about this.

rjuju avatar Jun 02 '17 11:06 rjuju

I think it's a browser feature, rather than anything we've implemented ourselves. I'll take a look later and let you know.

cydrobolt avatar Jun 02 '17 11:06 cydrobolt

I tried on an older firefox and I confirm that the message is browser specific. Registering with this older firefox (with fix removed) doesn't seems to work either.

rjuju avatar Jun 02 '17 11:06 rjuju

My Polr instance is behind an Apache reverse proxy and some pages give out an error that says

"The proxy server received an invalid response from an upstream server. The proxy server could not handle the request POST /lost_password. Reason: Error reading from remote server

I could try this solution that @cydrobolt pointed out, but I don't know where to put it.

Take a look at this link to properly configure your instance:

http://symfony.com/doc/current/request/load_balancer_reverse_proxy.html

Where do you insert this directives on Polr configuration files?

lentidas avatar Feb 12 '18 17:02 lentidas

I created a simple middleware to force https behind a reverse proxy. Here is my code: app/Http/MiddleWare/ForceHTTPS.php

<?php

namespace App\Http\Middleware;

use Closure;

class ForceHTTPS
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $request->setTrustedProxies( [ $request->getClientIp() ] );
        return $next($request);
    }
}

And registered the middleware in: bootstrap/app.php


$app->middleware([
    Illuminate\Cookie\Middleware\EncryptCookies::class,
    // Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
    Illuminate\Session\Middleware\StartSession::class,
    Illuminate\View\Middleware\ShareErrorsFromSession::class,
    App\Http\Middleware\VerifyCsrfToken::class,
    App\Http\Middleware\ForceHTTPS::class,
]);

I can also create a pull request. I'm just not sure how to integrate in the application. Should it add the middleware based on a ENV VAR?

legoheld avatar Jul 04 '18 09:07 legoheld

I am am having this same issue with traefik as my reverse proxy. The proxy internal IP is logged instead of the real clients IP.

Anyone come across this issue while using traefik?

spoctoss avatar Oct 03 '19 20:10 spoctoss