postal icon indicating copy to clipboard operation
postal copied to clipboard

Published 20 hours ago • verified publisher icon postalserver

Email tracking reports wrong client address if the server is hosted behind a reverse proxy

Open drtech981 opened this issue 3 years ago • 8 comments

Postal Web behind a reverse proxy incorrectly reports the client address :

January 17, 2022 13:18 Message Viewed Opened from 172.18.0.2 (Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko Firefox/11.0 (via ##)

There should be an option to set trusted proxies, and Postal should consider X-Forwarded-For instead of the Remote_Addr variable while tracking links.

drtech981 avatar Jan 18 '22 13:01 drtech981

The most curious part of this bug that web logging in docker already takes ip from x-forwarded-for. Also current implementation of postal dictates to use reverse proxy, so I curious why it so. I will check on Monday how to fix it, without trusted proxy, we can assume that any connection to Postal done ONLY from proxy.

dragoangel avatar Feb 20 '22 08:02 dragoangel

@willpower232 why it still an issue when we even not use buildin web, but use proxy mandatory

dragoangel avatar May 13 '22 12:05 dragoangel

@adamcooke I checked the code of https://github.com/postalserver/postal/blob/main/lib/postal/tracking_middleware.rb#L89 and request.ip here not playing with real client IP. I not deep in developing in ruby, as I understand you not use ActionDispatch/RemoteIp, so we need add something like https://github.com/ruby-grape/grape#remote-ip in general and all request.ip should be replaced by request.client_ip or use another middlewhare. Funny that logging system know real client IP while application work with incorrect data :) as there no more fastserver and proxy in general is mandatory in any case.

dragoangel avatar May 13 '22 14:05 dragoangel

Hello, I have same bug, anyone have solution, thank you for your help.

layen67 avatar Jan 05 '23 23:01 layen67

up

rudnypc avatar May 25 '23 01:05 rudnypc

Is there any progress regarding this issue?

brkcnbz avatar Oct 20 '23 11:10 brkcnbz

In the fork for our company i've managed to get the real ip in the DB.

lib/postal/tracking_middleware.rb Line 15: change Rack::Request.new(env) to ActionDispatch::Request.new(env) Line 89 & 90: change request.ip to request.remote_ip

lib\postal\message_db\message.rb Line 456 & 457: change request.ip to request.remote_ip

config/environments/production.rb Above the end statement add config.action_dispatch.trusted_proxies = ["XXX.XXX.XXX.XXX"] where you change the XX with your proxy ip. I dont know if this is necessary. I'm not a Ruby developer but it works.

Make sure your proxy is setting the X-Forwarded-For header!

Pacerino avatar Jan 12 '24 20:01 Pacerino

the main project seems dead, with many bugs. Maybe it is better if someone consolidate every existing fix in a fork to maintain :(

Trapulo avatar Jan 16 '24 07:01 Trapulo

Fixed in https://github.com/postalserver/postal/commit/3785c998513c634d225b489ccb43e926ce3f270a

adamcooke avatar Mar 05 '24 22:03 adamcooke