Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getRemoteAddress: Remove optional port number #18861

Closed
wants to merge 1 commit into from
Closed

getRemoteAddress: Remove optional port number #18861

wants to merge 1 commit into from

Conversation

tsparber
Copy link

The HTTP_X_FORWARED_FOR header might contain the IP address and the port number, when used via an IIS proxy.
See https://serverfault.com/a/757994
As our setup requires the use of IIS as an incoming SSL proxy, this change allows the remote IP to be correctly detected.
In my opinion, as the port number is allowed according to the linked RFCs, NC should handle this case.

kesselb
kesselb reviewed Jan 13, 2020
View reviewed changes
lib/private/AppFramework/Http/Request.php
@@ -659,6 +659,8 @@ public function getRemoteAddress(): string {
if(isset($this->server[$header])) {
foreach(explode(',', $this->server[$header]) as $IP) {
$IP = trim($IP);
// Use IP only, remove the optional port (see RFC 7239, Section 5.3 and RFC 7230, Section 5.4)
$IP = explode(':', $IP)[0];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that will fail for ipv6.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I've currently no system to test IPv6.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to https://tools.ietf.org/html/rfc5952#section-6 there are multiple formats, I'm not sure which variant is used by IIS. Is there any helper to check if the IP is an IPv6?

Copy link
Contributor

@go2sh go2sh Jan 13, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A regex would be possible, but if you take all possibilities into account it might get slow.

Copy link
Contributor

@kesselb kesselb Jan 14, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any helper to check if the IP is an IPv6?

filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) will return false if $ip is not a ip v6. But there are some pitfalls: https://3v4l.org/ZG7qa

@gary-kim gary-kim added 3. to review Waiting for reviews bug enhancement and removed bug labels Jan 13, 2020
@gary-kim gary-kim added this to the Nextcloud 19 milestone Jan 13, 2020
@tsparber
getRemoteAddress: Remove optional port number
5f83dea 
The `HTTP_X_FORWARED_FOR` header might contain the IP address and the port number, when used via an IIS proxy.
See https://serverfault.com/a/757994
As our setup requires the use of IIS as an incoming SSL proxy, this change allows the remote IP to be correctly detected.
In my opinion, as the port number is allowed according to the linked RFCs, NC should handle this case.

Signed-off-by: Tommy Sparber <tommy@sparber.net>
@tsparber
Copy link
Author

I've fixed the issue for now on the IIS config, by rewriting the HTTP Header in der ARR / URL Rewrite Settings.
<set name="HTTP_X_FORWARDED_FOR" value="{REMOTE_ADDR}" />

Should I close this PR or should we still try to find a solution for IPv4/IPv6 ?

This was referenced Apr 4, 2020
Merged
Merged
@ChristophWurst ChristophWurst added 2. developing Work in progress and removed 3. to review Waiting for reviews labels Apr 15, 2020
@MorrisJobke MorrisJobke mentioned this pull request Aug 11, 2020
Merged
57 tasks
@MorrisJobke
Copy link
Member

Should I close this PR or should we still try to find a solution for IPv4/IPv6 ?

Thanks for your effort here, but I guess we will just close it. Also no other people have showed up to help with at least feedback if it works in their scenario. Also there seems to be a way to configure IIS in a way that it works with Nextcloud.

Sorry that this took so long and we didn't gave feedback on this PR.

@MorrisJobke MorrisJobke removed this from the Nextcloud 20 milestone Aug 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kesselb kesselb kesselb left review comments

@go2sh go2sh go2sh left review comments

Assignees
No one assigned
Labels
2. developing Work in progress enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@tsparber @MorrisJobke @go2sh @kesselb @ChristophWurst @gary-kim