web_php.log + Fail2Ban + reverse proxy

[jijcob]

Hi all,

Here is the http flow for my Zoneminder setup:

client --> haproxy --> apache --> zoneminder

Everything works great, however when looking in web_php.log (via fail2ban) -- there is this problem:

09/03/21 09:28:11.764780 web_php[453].ERR [127.0.0.1] [Could not retrieve user zzdfiuy details] at /usr/share/zoneminder/www/includes/auth.php line 313

In my Apache logs, I've been able to successfully add the X-Forwarded-For header containing the real IP address of the client there. I've looked around quite a bit on the topic, but I've not found a solution. Is there a way to replace the "127.0.0.1" in the web_php.log that shows up behind a reverse proxy with the X-Forwarded-For header?

Thanks in advance

[jijcob]

Hi all,

I was able to find a solution (of sorts) -- in includes/logger.php, I replaced REMOTE_ADDR with HTTP_X_FORWARDED_FOR in these two places:

Code: Select all

$this->hasTerm = (php_sapi_name() == 'cli' && empty($_SERVER['HTTP_X_FORWARDED_FOR']));

and

Code: Select all

 $this->id, getmypid(), $code, $_SERVER['HTTP_X_FORWARDED_FOR'], $string);

I'm running 1.36.5-1 at the moment, and I realize this is not a long-term fix, but it does result in the actual client IP showing up in the web_php.log:

Code: Select all

09/03/21 09:28:11.764780 web_php[453].ERR [8.8.8.8] [Could not retrieve user zzdfiuy details] at /usr/share/zoneminder/www/includes/auth.php line 313

Assuming no objection, I'll look to file this as an issue on the Github repo. Unfortunately, I don't know enough about PHP to 'properly' change this, nor about underlying Zoneminder architecture to do a proper pull request.

Hope this helps someone in the meantime...

[kitkat]

You should be able to use mod_remoteip (Apache 2.4.6 and later) or mod_rpaf which read the X_FOWARDED_FOR header and set REMOTE_ADDR correctly.

I use mod_rpaf on a few PHP-based sites hosted behind reverse proxies and they all see the correct remote address.

[jijcob]

Ah, very nice! Didn't even think this angle.

Thank you!

[manuroma]

sorry for my post, I'm trying to log in via reverse proxy but with poor results, I also have haproxy and pfsense and on ha proxy I already have a service that works, only with zm I can't get it to work, I would like to use https up to the reverse proxy which runs the call on zm's http

[BlueH2O]

I use mod_rpaf on a few PHP-based sites hosted behind reverse proxies and they all see the correct remote address.

Could you tell me how you set this up? I have this module installed and set RPAF_ProxyIPs with the IP address of the proxy, but still only the proxy is being logged and not the X-Forwarded-For address.

[kitkat]

I use mod_rpaf on a few PHP-based sites hosted behind reverse proxies and they all see the correct remote address.

Could you tell me how you set this up? I have this module installed and set RPAF_ProxyIPs with the IP address of the proxy, but still only the proxy is being logged and not the X-Forwarded-For address.

This is the contents of one of my /etc/httpd/conf.d/mod_rpaf.conf files:

Code: Select all

LoadModule              rpaf_module modules/mod_rpaf.so
RPAF_Enable             On
RPAF_ProxyIPs           127.0.0.1 10.201.21.0/24 12.34.56.78 123.45.67.89
RPAF_SetHostName        On
RPAF_SetHTTPS           On
RPAF_SetPort            On
RPAF_ForbidIfNotProxy   On

I didn't have to set 'RPAF_Header X-Forwarded-For' but I guess it may help if you haven't done so.

[BlueH2O]

Interesting, the option names are not quite the same in my version, plus there is this:
This module should be considered as deprecated after Jessie.

[kitkat]

Interesting, the option names are not quite the same in my version, plus there is this:
This module should be considered as deprecated after Jessie.

There are a few versions of mod_rpaf floating around - This is the one I'm using: https://github.com/gnif/mod_rpaf

And yeah, it's very old and deprecated (by mod_remoteip?) but I'm using it on out-of-date CentOS 6.1 machines and it's about the only option out there.

[BlueH2O]

And yeah, it's very old and deprecated (by mod_remoteip?) but I'm using it on out-of-date CentOS 6.1 machines and it's about the only option out there.

Yes by mod_remoteip.I'm using Debian bullseye.

[BlueH2O]

Well.. I've tried rpaf (did nothing) remoteip (did nothing) and changing the log format string for apache (works for apache but not web_php.log)
Still all I can get in the web_php.log is the proxy IP. I don't have huge amounts of time to put in to this so I'll have to shelve it for a while.