New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Uses docker network instead of real network for Whitelist #134
Comments
I don't personally use Docker swamp so I am not quite sure about your issue here. But Zoraxy whitelist check with priority X-Real-IP > X-Forward-For > Remote Address, and you didn't include the client request (the header the client sent to Zoraxy) so I can't tell which field Zoraxy is used to determine your client IP. And for the out-going request (Zoraxy -> your web server), this is how the X-Forward-For header is being added. func addXForwardedForHeader(req *http.Request) {
if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
// If we aren't the first proxy retain prior
// X-Forwarded-For information as a comma+space
// separated list and fold multiple headers into one.
if prior, ok := req.Header["X-Forwarded-For"]; ok {
clientIP = strings.Join(prior, ", ") + ", " + clientIP
}
req.Header.Set("X-Forwarded-For", clientIP)
if req.TLS != nil {
req.Header.Set("X-Forwarded-Proto", "https")
} else {
req.Header.Set("X-Forwarded-Proto", "http")
}
if req.Header.Get("X-Real-Ip") == "" {
//Check if CF-Connecting-IP header exists
CF_Connecting_IP := req.Header.Get("CF-Connecting-IP")
if CF_Connecting_IP != "" {
//Use CF Connecting IP
req.Header.Set("X-Real-Ip", CF_Connecting_IP)
} else {
// Not exists. Fill it in with first entry in X-Forwarded-For
ips := strings.Split(clientIP, ",")
if len(ips) > 0 {
req.Header.Set("X-Real-Ip", strings.TrimSpace(ips[0]))
}
}
}
}
} It means that if the X-Forward-For is not empty, you will see something like So given you two screenshots, I guess the problem should be either the docker container is not forwarding the request origin ip in the correct header field or Zoraxy ip extraction logic in private IP range have some small issues. I guess you might need to provide more info regarding your request headers (before it reaches zoraxy and after it passes through) in order for me to check what might be the issue here. Btw, this PHP script might help :) |
Hello and thank you for quick reply. Interesting enough after flushing some cache and the DNS cache on my DNS server (adguard) the X-Real-IP now shows the docker network IP instead. Here is an output of your debug script.
|
After some digging is seems it is because of the overlay network in docker swarm. But it can also be solved by using the "send-proxy" directive in haproxy which basically forwards zoraxy the headers to use but it requires zoraxy to trust reverse proxy headers from haproxy which it seams it does not do at the moment, as when i enable send-proxy in haproxy Zoraxy refuses the traffic. |
Setting zoraxy to use host network is working. It is not an elegant solution, but it is an workaround. I really liked having zoraxy inside the ovarlay network as it is intended to with swarm, but then it requires Zoraxy to trust proxy headers from Haproxy.
|
@eirsik I am not sure what do you mean by
Given that in your first debug.php output, we can see the followings.
Then it is expected behavior for Zoraxy to use 10.0.0.8 as the access checking ip address. To fix your issue, either
|
@eirsik any updates regarding this bug report? Or can you validate this is actually a bug from Zoraxy? |
Hello What I mean is that HAProxy can use the PROXY protocol to keep the origin IP regardless of the network setup. But it requires that the receiver accepts and supports it. Which it seems that Zoraxy does not. I really want to use Zoraxy as it looks really cool and I love everything about it, but I have reverted back to Nginx where everything works by just adding one option to the configuration: https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/ Once Zoraxy supports the Proxy protocol, I will return :) |
@eirsik Ok, so it sounds like you are reporting a bug from a feature that Zoray not support. I guess it would be better to change this to an enhancement (feature) request for PROXY PROTOCOL support instead. |
Describe the bug
When using whitelist to allow only spesific local networks, zoraxy seems to interpet the traffic coming from the docker swarm network instead of the actual local network.
Setting up zoraxy in docker swarm and enabling whitelist for client subnet (192.168..) does not work as Zoraxy sees the traffic as if its coming from docker network (10.0..). So I have to use 10.0.. in whitelisting to allow local clients to access, but this allows everyone on the local network to access the resource and not just one specific local network.
https://img.sikkylab.me/image/msedge-casfdrbxzk.vOJo
Expected behavior
Zoraxy should see that the requests comes from the actual client. X-Real-IP works fine and the real visitor IP is forwarded to the en resource as seen here: https://img.sikkylab.me/image/msedge-6nitrrqey4.vFxN
So as the end resource can see the real IP from the client, zoraxy should too.
Blocking for public access works just fine as expected. It is just the local ACL that's not working as expected.
The text was updated successfully, but these errors were encountered: