Client address and Forwarded header...

Added by Plug Gulp 2 months ago

Hello Wt Team,

I am looking at help in understanding how Wt determines client address when using whttp. I looked at how and where request.remoteIP is set. Looking at Connection::start method the remote IP is set to socket endpoint, and looking at FCGIRequest::remoteAddr method the address is extracted from CGI REMOTE_ADDR environment variable. The documentation of Wt::Http::Request::clientAddress method indicates that the client IP is determined by CLIENT_IP and/or X-FORWARDED-FOR headers. Please may I know where these headers are queried to determine client address in relation to this method? Also, will the new FORWARDED header be supported in future releases?

Thanks and kind regards,

~Plug


Replies (3)

RE: Client address and Forwarded header... - Added by Roel Standaert 2 months ago

Please may I know where these headers are queried to determine client address in relation to this method?

So are you having some difficulty getting the client's address? Maybe you're behind a reverse proxy, and that proxy is sending the right headers, but behind-reverse-proxy is not enabled in wt_config.xml?

In Wt 4.3.0 there's a function in src/web/WebRequest.C called clientAddress(bool) that determines the client address, looking at the Client-IP and X-Forwarded-For headers. This is what's used in WEnvironment and Http::Request.

Currently the Forwarded header is not supported, but we could consider adding support if you make a feature request for it.

RE: Client address and Forwarded header... - Added by Plug Gulp 2 months ago

In Wt 4.3.0 there's a function in src/web/WebRequest.C called clientAddress(bool) that determines the client address, looking at the Client-IP and X-Forwarded-For headers. This is what's used in WEnvironment and Http::Request.

I am using 4.1.2 and that method was in WEnvironment. Looks like it was moved to WebRequest.

BTW, just out of curiosity what happens when the Wt app deployer does not know if the application is behind a reverse proxy e.g. some cloud providers may have a reverse proxy that the deployer may not be aware of?

Thanks and kind regards,

~Plug

RE: Client address and Forwarded header... - Added by Roel Standaert 2 months ago

I am using 4.1.2 and that method was in WEnvironment. Looks like it was moved to WebRequest.

Yes, it was refactored to WebRequest so we can reuse it in Http::Request.

BTW, just out of curiosity what happens when the Wt app deployer does not know if the application is behind a reverse proxy e.g. some cloud providers may have a reverse proxy that the deployer may not be aware of?

The deployer just always has to know if the application is behind a reverse proxy. That's always the case. You have to opt in, because Wt can't know if it can trust the Client-IP or X-Forwarded-For headers. Anyone could send those headers, pretending to be anyone else. You just have to know whether you are behind a reverse proxy (that you can trust) or not.

Other software, like I know Apache for example, has a mod_remoteip that goes a bit further, because you can actually configure which IP addresses you trust, like: if it's coming from 10.0.0.1 I know that's our proxy server and I know I can trust the X-Forwarded-For header.

You can be reckless and just turn behind-reverse-proxy on by default, and everything will seem to work correctly, regardless of whether you're actually behind a reverse proxy or not, but you're allowing people to freely spoof their IP address.

(1-3/3)