Description
What version of Gophish are you using?: 0.11
I have gophish running behind a proxy with requests being forwarded to it. This results in web log output like:
time="2020-10-09T16:09:38Z" level=info msg="127.0.0.1 - - [09/Oct/2020:16:09:38 +0000] \"GET / HTTP/1.1\" 200 1872 \"\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\""
As you see I'm getting a client IP of 127.0.0.1, since the actual connection hitting gophish comes from the proxy running on the same box.
In order to get the real client IP I tried overwriting the Host: header within my proxy replacing it with the originating IP, but this doesn't seem to help.
Below is what hits the gophish admin server, as you can see I've supplied by real public IP in three headers (Host, X-Forwarded-For, and X-Real-Ip):
GET / HTTP/1.1
Host: <my_public_IP>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: _gorilla_csrf=MTYw___etc; gophish=MTYw__etc
Dnt: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: <my_public_IP>
X-Real-Ip: <my_public_IP>
In order to debug this I'm trying to find where in the gophish code the above connection log requests originate - but my grep fu is weak. Perhaps you know off hand @jordan-wright or someone else?
Thanks!
Activity
jordan-wright commentedon Oct 11, 2020
The connection log is generated using the
handlers.CombinedLoggingHandlerlibrary function as can be seen here..You're right that this currently doesn't respect
X-Forwarded-Forheaders. I think an easy way to update this would be to wrap the handlerCombinedLoggingHandlerreceives in a call tohandlers.ProxyHeaders. Something like this:Note that this would need to be done in both admin.go and phish.go (for now until I finally get around to pushing out my refactoring that combines some of this stuff!)
jordan-wright commentedon Oct 11, 2020
I had some time so I went ahead and knocked it out. Let me know if that works for you!
glennzw commentedon Oct 11, 2020
Hi @jordan-wright, thanks for the help!
This almost works, I'm getting the real IP, but as an unwanted bonus a 500 internal server error too:
jordan-wright commentedon Oct 11, 2020
glennzw commentedon Oct 11, 2020
No worries at all! I'm also debugging on my side. Trying to replicate the error with some curl commands.
glennzw commentedon Oct 11, 2020
This seems to cause the crash:
gophish console:
Tested on remote Ubuntu server as well as local Mac.
glennzw commentedon Oct 11, 2020
Adding a port seems to result in no crash:
curl -i -H "X-Real-Ip: 1.2.3.167:1234" http://localhost:3333/loginjordan-wright commentedon Oct 11, 2020
jordan-wright commentedon Oct 11, 2020
Ok, should be fixed with 2315412. The ratelimiter was getting upset that the IP didn't have a port, so I just removed that check to handle things more gracefully.
Feel free to reopen if you still don't see this fixing the bug. Sorry again for the hassle!
16 remaining items