Skip to content

Trying to get real client IP behind proxy #1999

Closed
@glennzw

Description

What version of Gophish are you using?: 0.11

I have gophish running behind a proxy with requests being forwarded to it. This results in web log output like:

time="2020-10-09T16:09:38Z" level=info msg="127.0.0.1 - - [09/Oct/2020:16:09:38 +0000] \"GET / HTTP/1.1\" 200 1872 \"\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\""

As you see I'm getting a client IP of 127.0.0.1, since the actual connection hitting gophish comes from the proxy running on the same box.

In order to get the real client IP I tried overwriting the Host: header within my proxy replacing it with the originating IP, but this doesn't seem to help.

Below is what hits the gophish admin server, as you can see I've supplied by real public IP in three headers (Host, X-Forwarded-For, and X-Real-Ip):

GET / HTTP/1.1
Host: <my_public_IP>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: _gorilla_csrf=MTYw___etc; gophish=MTYw__etc
Dnt: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: <my_public_IP>
X-Real-Ip: <my_public_IP>

In order to debug this I'm trying to find where in the gophish code the above connection log requests originate - but my grep fu is weak. Perhaps you know off hand @jordan-wright or someone else?

Thanks!

Activity

jordan-wright

jordan-wright commented on Oct 11, 2020

@jordan-wright
Collaborator

The connection log is generated using the handlers.CombinedLoggingHandler library function as can be seen here..

You're right that this currently doesn't respect X-Forwarded-For headers. I think an easy way to update this would be to wrap the handler CombinedLoggingHandler receives in a call to handlers.ProxyHeaders. Something like this:

...
adminHandler = gzipWrapper(adminHandler)

// Respect X-Forwarded-For and X-Real-IP headers in case we're behind a
// reverse proxy.
adminHandler = handlers.ProxyHeaders(adminHandler)

// Setup logging
adminHandler = handlers.CombinedLoggingHandler(log.Writer(), adminHandler)
...

Note that this would need to be done in both admin.go and phish.go (for now until I finally get around to pushing out my refactoring that combines some of this stuff!)

jordan-wright

jordan-wright commented on Oct 11, 2020

@jordan-wright
Collaborator

I had some time so I went ahead and knocked it out. Let me know if that works for you!

glennzw

glennzw commented on Oct 11, 2020

@glennzw
CollaboratorAuthor

Hi @jordan-wright, thanks for the help!

This almost works, I'm getting the real IP, but as an unwanted bonus a 500 internal server error too:

time="2020-10-11T19:31:51Z" level=info msg="x.x.x.167 - - [11/Oct/2020:19:31:51 +0000] \"GET / HTTP/1.1\" 307 51 \"\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36\""
time="2020-10-11T19:31:51Z" level=error msg="Unable to determine client IP address: address x.x.x.167: missing port in address"```
jordan-wright

jordan-wright commented on Oct 11, 2020

@jordan-wright
Collaborator
glennzw

glennzw commented on Oct 11, 2020

@glennzw
CollaboratorAuthor

No worries at all! I'm also debugging on my side. Trying to replicate the error with some curl commands.

glennzw

glennzw commented on Oct 11, 2020

@glennzw
CollaboratorAuthor

This seems to cause the crash:

curl -i -H "X-Real-Ip: 1.2.3.167"  http://localhost:3333/login 

HTTP/1.1 500 Internal Server Error
Content-Security-Policy: frame-ancestors 'none';
Content-Type: text/plain; charset=utf-8
Set-Cookie: _gorilla_csrf=x-JxXsQ6AB3iWZwXpAlr; Expires=Mon, 12 Oct 2020 08:28:15 GMT; Max-Age=43200; HttpOnly; SameSite
Vary: Accept-Encoding
Vary: Cookie
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Date: Sun, 11 Oct 2020 20:28:15 GMT
Content-Length: 22

Internal Server Error

gophish console:

time="2020-10-11T20:30:18Z" level=error msg="Unable to determine client IP address: address 1.2.3.167: missing port in address"
time="2020-10-11T20:30:18Z" level=info msg="1.2.3.167 - - [11/Oct/2020:20:30:18 +0000] \"GET /login HTTP/1.1\" 500 22 \"\" \"curl/7.58.0\""

Tested on remote Ubuntu server as well as local Mac.

glennzw

glennzw commented on Oct 11, 2020

@glennzw
CollaboratorAuthor

Adding a port seems to result in no crash:

curl -i -H "X-Real-Ip: 1.2.3.167:1234" http://localhost:3333/login

jordan-wright

jordan-wright commented on Oct 11, 2020

@jordan-wright
Collaborator
jordan-wright

jordan-wright commented on Oct 11, 2020

@jordan-wright
Collaborator

Ok, should be fixed with 2315412. The ratelimiter was getting upset that the IP didn't have a port, so I just removed that check to handle things more gracefully.

Feel free to reopen if you still don't see this fixing the bug. Sorry again for the hassle!

16 remaining items

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Trying to get real client IP behind proxy · Issue #1999 · gophish/gophish