[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Finding remote IP

CAUTION: This e-mail originated outside the University of Southampton.
Hi Matt,
I think this discussion: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F214&data=05%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C45c037505108432d3e9508da64a55923%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637932958567682347%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BCXe1Op%2F6ozyaRbtQWb0kzgeoulTMywzVnC%2Bh9818Bg%3D&reserved=0 may be useful.
This was around Apache 2.2 / 2.4 changes, but relevant to your question.

The $repo->remote_ip will deal with X-Forwarded-For headers, and presents the client IP.
IMO, this is OK for logging requests.

For use in security.pl, you need to work out where your trust ends.
e.g. if you are presented with a chain of 4 IP addresses in an X-Forwarded-For header, you may only want to trust those that you are in control of.
Anything beyond a proxy that you (or your institution) are in control of could be spoofing information.

Let me know if that helps, or if you want more details.


From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Matthew Brady via Eprints-tech
Sent: 13 July 2022 01:55
To: eprints-tech at ecs.soton.ac.uk
Subject: [EP-tech] Finding remote IP

CAUTION: This e-mail originated outside the University of Southampton.
Hi All,

In the 3.3.16 codebase we use, there is a section within the security.pl file, to allow decisions to be made based on where the request comes from.. which has been in place for 10+ years,

my $ip = $r->connection()->remote_ip();

Changes within our systems space (proxies, load balancers et. al.), now see this call returning the wrong IP.  Not getting the actual requester machine IP, but an intermediatory.
The curious thing is, the Apache access logs, and the details stored via LogHandler.pm (details stored in db access table), have the correct IP.
It uses the following two lines to get the ip....

my $doc = $r->pnotes( "document" );
my $ip = $doc->repository->remote_ip;

Just wondering if anyone with understanding of the perl magic that's going on, can foresee problems using the LogHandler code within the security.pl.
Testing so far shows it produces the correct results for whitelisting etc, within the security.pl logic.



This email (including any attached files) is confidential and is
for the intended recipient(s) only. If you received this email by
mistake, please, as a courtesy, tell the sender, then delete this
The views and opinions are the originator's and do not necessarily
reflect those of the University of Southern Queensland. Although
all reasonable precautions were taken to ensure that this email
contained no viruses at the time it was sent we accept no
liability for any losses arising from its receipt.
The University of Southern Queensland is a registered provider
of education with the Australian Government.
(CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20220713/0856f3a0/attachment-0001.html