Hi there,
I am using HAProxy as a reverse proxy to a docker container running apache2 and php to serve osTicket. I cannot get the forwardfor option in HAProxy to reflect client IP in osTicket. Currently in all logs I see HAProxy as the client IP.
I have also tried adding the X-Real-IP header but at this point I am just shooting in the dark. Can someone tell me how to get client IP information to feed through properly?
Thanks!
-Bradford
Have you added the proxy to TRUSTED_PROXIES in the Config File (include/ost-config.php)?
Cheers.
Yes, line reads exactly:
define('TRUSTED_PROXIES', '192.168.0.0/24');
The IP address of HAProxy is currently 192.168.0.13 so this should match, right?
Thanks!
Set it to the actual IP address instead of an IP range, restart Apache, and retest.
Cheers .
Set to:
define('TRUSTED_PROXIES', '192.168.0.13');
Same result. I am checking from apache2 access logs, not sure if that matters.
Do you have the X-Forwarded-For header set? If not this is the issue. We use get_client_ip which attempts to grabe the IP from the aforementioned header. If not it defaults to the request IP which is HAProxy’s IP in your case.
Cheers.
In HAProxy frontend i have option forwardfor which should add this header. I don't think I need to add this also to backend, but I had moved the option around to see if that was the issue, it doesn't seem to make a difference. Other applications behind this proxy do have client IP's though, just not this instance of osTicket.
Does Apache2 typically need to be configured to allow this? I did try loading mod_remoteip but unless configuration is required that didn't seem to help either.
Look at the request in the browser and see if it has the X-Forwarded-For header set and ensure it’s set to the correct IP.
Cheers.
Both the proxy and the webserver are in containers so I'll need to find a way to get tpcdump in between. I'll get back to you when I can get you that information.
Thanks for your help so far.
I do have X-Forwarded-For with my client IP address listed in the GET coming from the proxy (192.168.0.13) to the webserver (192.168.0.14).
X-Forwarded-Proto: https\r\n
X-Forwarded-Port: 443\r\n
X-Forwarded-For: 10.18.1.45\n\n
Let me ask you this (should’ve asked at the beginning) where exactly is the IP showing incorrectly?
Cheers.
Well, previously under scp/logs.php but it looks like this is working now...
I did set the TRUSTED_PROXIES back to CIDR range and it's still working as expected. Not sure where the kink was worked out but I appreciate your help.
Dude awesome! I have no idea why or what either. Maybe there was some weird caching going on or something and eventually expired? Who knows. I’m glad it’s working correctly now!
Cheers.
