zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[HELP] Show the correct public IP

Open sangandi opened this issue 11 months ago • 6 comments

What happened? Zoraxy does not forward the public IP to the back servers.

Describe what have you tried All sorts of things with the X-Header and other settings.

Describe the networking setup you are using

  • Internet provider is: Deutsche Telekom with public ipv4
  • As a firewall I use a Sophos XGS 136w
  • Are you using Cloudflare? NO
  • Are your system hosted under a NAT router? [e.g. yes, with subnet is e.g. 192.168.0.0/24 and include port forwarding config if any] YES

Additional context When I log in to a service behind zoraxy, the zoraxy IP is always displayed and not the public IP. My structure is as follows.:

example.com --> Sophos XGS --> Zoraxy --> Server

My public IP is: 123.321.123.321 but in the log of my server always the IP of zoraxy is displayed (192.168.1.218). My Sophos has the: 192.168.1.1.

How do I get the public IP address to display on my server? (in the log)

Here is a log from zoraxy and from my server

Image Image

sangandi avatar Mar 18 '25 17:03 sangandi

@sangandi You can't because in your setup, Zoraxy doesn't aware of your public ip address. What it sees is that

  1. The request is coming from 192.168.1.1 (based on hints from request headers)
  2. The potential client IP (which in Zoraxy there is an automatic logic to check and "guess" what IP in the X-Forwarded-For pass by downstream is most likely be the client IP`

Besides, I have no idea why you would need your public ip (I assume you mean the server public IP instead of the client, as the client IP is already written in the log as 80.187.xxx, which will also get forwarded with X-Forwarded-For header). I am thinking it might be an architecture issue instead of an issue related to Zoraxy. Can you explain a bit more what you are trying to achieve here?

tobychui avatar Mar 18 '25 23:03 tobychui

I'm actually concerned about safety. If there are too many incorrect login attempts, the IP should be blocked for a certain period of time. Only when I use zoraxy is the IP of zoraxy always blocked and not the IP of the original client.

Here again what exactly I mean.

example.com --> Sophos XGS --> Zoraxy --> Server

37.42.173.221 --> 192.168.1.1 --> 192.168.1.218 --> 192.168.1.200 80.187.80.252 --> 192.168.1.1 --> 192.168.1.218 --> 192.168.1.200 20.220.19.101 --> 192.168.1.1 --> 192.168.1.218 --> 192.168.1.200

My server is now blocking zoraxy's IP after too many failed login attempts. This means no one can log in anymore.

if I don't use zoraxy

example.com --> Sophos XGS --> Server

37.42.173.221 --> 192.168.1.1 --> 192.168.1.200 80.187.80.252 --> 192.168.1.1 --> 192.168.1.200 20.220.19.101 --> 192.168.1.1 --> 192.168.1.200

Then my server blocks the IP addresses of the customer if there are too many failed login attempts.

sangandi avatar Mar 19 '25 05:03 sangandi

@sangandi Ok you mean client public IP address instead of server. You can get the client IP address in your upstream server from the first value of X-Forwarded-For header or X-Real-IP header. If your server are using non standard way to get the client IP, you can use custom header function to overwrite it manually.

See more here https://github.com/tobychui/zoraxy/wiki/Custom-Headers#request-specific-variables

tobychui avatar Mar 19 '25 05:03 tobychui

@tobychui Thank you for your quick response. Something like that? Do you have an example for me?

Image

sangandi avatar Mar 19 '25 05:03 sangandi

@sangandi The X-Real-IP, if not provided by downstream, will get automatically fill in by Zoraxy. So you do not need to explicitly set it in custom header.

You need to pick a header that your upstream use to identify the client public IP address. Since I don't know what server software you are using, you need to figure it out yourself with some trial and error.

tobychui avatar Mar 19 '25 06:03 tobychui