Wt

It appears that the handling of this is at the moment only done in WEnvironment (at least when using wthttp), and you'd have to check X-Forwarded-For yourself in handleRequest of a WResource. It looks like the docs don't match the implementation there.

Thank you, Roel.

When running the app, the envronment().clientAddress() also still reports the 127...1. I was assuming it was coming from the same source module.

I shouldn't even be posting this here, I should just fix it myself, eh?

developer@rtmus2:~/projects/artecams/build$ make.sh && ./doit.sh
Scanning dependencies of target artecams
[  1%] Building CXX object CMakeFiles/artecams.dir/src/AppVault.cpp.o
[  2%] Linking CXX executable artecams
[100%] Built target artecams
running
INFO: Opened log file (/dev/null).
/home/developer/projects/artecams/src/AppVault.cpp:185 127.0.0.1

From this code:

182 Rtm::AppVault::AppVault( const Wt::WEnvironment & env )·                                                                                                                                                                                
183 : AppBase( "artecams.vault.sqlite", env )·
184 {·
185   std::cout << __FILE__ << ":" << __LINE__ << " " << environment().clientAddress() << std::endl;·

A little more clearly;

/home/developer/projects/artecams/src/AppVault.cpp:185 127.0.0.1 71.170.246.90

185   std::cout << __FILE__ << ":" << __LINE__·
186     << " " << environment().clientAddress()·
187     << " " << environment().headerValue("X-Forwarded-For")·
188     << std::endl;·

If WEnvironment is also reporting the wrong address, that must be because you didn't set <behind-reverse-proxy> to true in wt_config.xml.

Wt does not look at X-Forwarded-For by default. It only looks at that header if you explicitly told it it's behind a reverse proxy. Otherwise, anyone could impersonate any IP address by putting that in X-Forwarded-For. So you should enable behind-reverse-proxy and make sure that the application can only be accessed through the proxy, otherwise spoofing would be possible.

I see.

Thank you for the clarification.

~mark

Roel, since I have you here, one thing I have been curious about...

I was unaware of the behind_reverse_proxy option in the config. Turning on that allows clientAddress() to report the proper IP address. Thank you for that!

I'm also curious about the output from these lines;

127.0.0.1 - - [2019-May-21 14:14:28.193] "POST /vault?wtd=P5fqM4cKUDU1KxRl HTTP/1.1" 200 76
127.0.0.1 - - [2019-May-21 14:14:28.321] "GET /vault/ HTTP/1.1" 200 2326

Would not these log output lines also benefit from the reverse proxy setting?

Yeah... maybe they should. At the moment all of the X-Forwarded-For handling happens only in WEnvironment. It has bothered me too that the access log doesn't take that into account.

Google

Thank you, sir!