Defect #11277

Production log not recording "Real IP" when passed X_Real_IP and/or X-Forwarded-For Header

Added by Kyle Merchant about 10 years ago. Updated about 2 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution:Fixed Affected version:

Description

When Redmine 2.0.3 (r9873) is setup behind a reverse proxy the recorded IP address in the logs is that of the proxy regardless of originating request:

Started GET "/" for 127.0.0.1 at 2012-06-26 12:47:30 -0400
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/base (9.9ms)
Completed 200 OK in 71ms (Views: 45.0ms | ActiveRecord: 11.2ms)

Setup:

Ruby 1.9.3
Redmine 2.0.3
Unicorn 4.3.1 - Unicorn configuration attached
Nginx 1.0.11 - nginx.conf attached

Setup above properly records "Real IP" in logs with Redmine 1.4.4 (r9893)

nginx.conf (3.16 KB) Kyle Merchant, 2012-06-27 15:59

unicorn.conf.rb Magnifier (491 Bytes) Kyle Merchant, 2012-06-27 15:59

History

#1 Updated by Kyle Merchant about 10 years ago

The above problem should be amended to state:

"When Redmine 2.0.3 (r9873) is setup behind a reverse proxy the recorded IP address
in the logs is that of the proxy regardless of originating request when originating request
is from a private network"

It appears the issue is related to a bug feature in Rails 3.2 (https://github.com/rails/rails/issues/1010) where the X-Forward-For header is stripped of IPs that match a list of "trusted" IPs that are assumed to be proxies. This list by default includes the localhost and all private IP ranges (https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/remote_ip.rb#L9). Since the above logic strips all of the IPs from the header the first valid proxy IP is instead returned.

The rails team have made attempts to make the trusted IP list a configurable option (https://github.com/rails/rails/pull/2632) but the issue is still open (https://github.com/rails/rails/issues/5223).

#2 Updated by Jean-Philippe Lang about 10 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

I'm closing it since it's a Rails issue. These log statements are not handled by Redmine.

#3 Updated by Matt V over 2 years ago

hello!

the patch is now in rails upstream [1]

it still would be nice to know where to put the trusted_ips - directive in redmine so I can see real IPs instead of localhost in the log.

I tried following inside config/application.rb:
config.action_dispatch.trusted_proxies = nil

I also tried adding this line according to : [2]
config.action_dispatch.ip_spoofing_check = false

It still says 127.0.0.1 in production.log - looks like redmine is not supported behind a reverse proxy - maybe this should be documented somewhere in the docs? Or has anyone found a solution to this old problem?

Kind Regards,
Matt

[1]
https://github.com/rails/rails/pull/2632

[2]
https://stackoverflow.com/questions/27846191/in-rails-4-how-do-i-configure-a-list-of-trusted-proxies-for-remoteip

#4 Updated by Andrey K about 2 years ago

I was able to get a real IP in the log after adding the file:
<redmine_home>/config/additional_environment.rb

    config.action_dispatch.trusted_proxies = %w(127.0.0.1 ::1).map { |proxy| IPAddr.new(proxy) }
    config.middleware.insert_before(Rails::Rack::Logger,
                                    ActionDispatch::RemoteIp,
                                    true,
                                    config.action_dispatch.trusted_proxies)

source

Environment:
   Redmine version                4.1.1.stable
   Ruby version                   2.5.7-p206 (2019-10-01) [x86_64-linux-gnu]
   Rails version                  5.2.4.2

Also available in: Atom PDF