How do you capture the IP address of the client ma...
# cfml-generald
Daniel Mejia
12/19/2024, 6:12 PMHow do you capture the IP address of the client making the request? CGI.REMOTE_ADDR is giving me the IP address of the internal network firewall. What is the solution to this scenario?
b
bdw429s
12/19/2024, 6:14 PM@Daniel Mejia If you're on CommandBox, there is a setting for this
bdw429s
12/19/2024, 6:14 PMbdw429s
12/19/2024, 6:14 PMJust only enable it if you trust the proxy or firewall you're behind.
bdw429s
12/19/2024, 6:15 PMFor a non-CommandBox server, you'd need to manually look at the same headers that setting activates
d
Daniel Mejia
12/19/2024, 6:15 PMtrust? its our azure firewall.
b
bdw429s
12/19/2024, 6:15 PMThere maybe a Tomcat valve that does the same thing. I haven't looked
bdw429s
12/19/2024, 6:15 PMYes, you "trust" azure in this context
bdw429s
12/19/2024, 6:15 PMyou just don't want to enable that for a server which is directly accessible on the open internet
d
Daniel Mejia
12/19/2024, 6:16 PMit is accessible on the internet
b
bdw429s
12/19/2024, 6:16 PMotherwise, a hacker can simply send an
x-forwarded-forbdw429s
12/19/2024, 6:16 PMI said "directly" accessible
bdw429s
12/19/2024, 6:16 PMThat word is the important modifier
bdw429s
12/19/2024, 6:16 PMDirectly as in no other proxies, firewalls, or web servers in front
bdw429s
12/19/2024, 6:17 PMA proxy will generally overwrite any untrusted forwarded headers and replace it with their own
bdw429s
12/19/2024, 6:17 PMIf you just want it for logging, then maybe you just check the header yourself, which is fine
bdw429s
12/19/2024, 6:17 PMThe CommandBox setting will actually swap out the IP that shows in the CGI scope
🧐 1
d
Daniel Mejia
12/19/2024, 6:19 PMOk thank you.
e
elpete
12/19/2024, 6:27 PMI believe there is a function in cbSecurity for this as well. https://github.com/coldbox-modules/cbsecurity/blob/8f0b6e09b6e496920fbeb732aa49d4425630fbf0/models/CBSecurity.cfc#L601-L611
✅ 1
q
quetwo
12/19/2024, 6:42 PMBTW, this HIGHLY depends on your proxy. My F5 adds the header
x-forwarded-ipx-remote-userb
bdw429s
12/19/2024, 6:43 PMx-remote-user is something entirely different
bdw429s
12/19/2024, 6:43 PMThat's for authenticated requests
d
Daniel Mejia
12/19/2024, 6:44 PMShould I assume that our azure firewall is removing the header since I don't see it listed in the cfdump?
b
bdw429s
12/19/2024, 6:45 PMIt's possible it's not setting it. I haven't used Azure enough to know if a setting needs to be ticked for that
bdw429s
12/19/2024, 6:45 PMBut it's generally pretty standard in proxies
bdw429s
12/19/2024, 6:45 PMWhat specifically are you dumping?
q
quetwo
12/19/2024, 6:45 PM@bdw429s -- oh, that's how it SUPPOSED to be used. But it's an open bucket that gets sent over.
b
bdw429s
12/19/2024, 6:45 PMIt would be under
getHTTPRequestData().headersd
Daniel Mejia
12/19/2024, 6:47 PMOk I guess I have look at the firewall and configure it to add that header.
b
bdw429s
12/19/2024, 6:48 PMIf this is the Azure firewall you're using, the docs seem to indicate it should be present
https://learn.microsoft.com/en-us/azure/firewall/rule-processing
bdw429s
12/19/2024, 6:49 PMNote
Both HTTP and HTTPS protocols (with TLS inspection) are always filled by Azure Firewall with XFF (X-Forwarded-For) header equal to the original source IP address.
d
Daniel Mejia
12/19/2024, 7:06 PMlooks like Azure Firewall is Layer 4 and I would need a Layer 7 service like Front Door or Web Application Firewall
b
bdw429s
12/19/2024, 7:06 PMAhh, that would make sense
bdw429s
12/19/2024, 7:06 PMlayer 4s don't parse the HTTP request or modify it
👍🏾 1
bdw429s
12/19/2024, 7:06 PMThey just pass the packets along basically
d
Daniel Mejia
12/19/2024, 8:35 PMUff, from my estimates Azure WAF would cost about $1300 per month.
3 Views