Defect #11277
closed
Production log not recording "Real IP" when passed X_Real_IP and/or X-Forwarded-For Header
0%
Description
When Redmine 2.0.3 (r9873) is setup behind a reverse proxy the recorded IP address in the logs is that of the proxy regardless of originating request:
Started GET "/" for 127.0.0.1 at 2012-06-26 12:47:30 -0400
Processing by WelcomeController#index as HTML
Rendered welcome/index.html.erb within layouts/base (9.9ms)
Completed 200 OK in 71ms (Views: 45.0ms | ActiveRecord: 11.2ms)Setup:
Ruby 1.9.3
Redmine 2.0.3
Unicorn 4.3.1 - Unicorn configuration attached
Nginx 1.0.11 - nginx.conf attachedSetup above properly records "Real IP" in logs with Redmine 1.4.4 (r9893)
Files
Updated by Kyle Merchant over 12 years ago
The above problem should be amended to state:
"When Redmine 2.0.3 (r9873) is setup behind a reverse proxy the recorded IP address
in the logs is that of the proxy regardless of originating request when originating request
is from a private network"It appears the issue is related to a bug feature in Rails 3.2 (https://github.com/rails/rails/issues/1010) where the X-Forward-For header is stripped of IPs that match a list of "trusted" IPs that are assumed to be proxies. This list by default includes the localhost and all private IP ranges (https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/middleware/remote_ip.rb#L9). Since the above logic strips all of the IPs from the header the first valid proxy IP is instead returned.
The rails team have made attempts to make the trusted IP list a configurable option (https://github.com/rails/rails/pull/2632) but the issue is still open (https://github.com/rails/rails/issues/5223).
Updated by Jean-Philippe Lang over 12 years ago
- Status changed from New to Closed
- Resolution set to Fixed
I'm closing it since it's a Rails issue. These log statements are not handled by Redmine.
Updated by Matt V almost 5 years ago
hello!
the patch is now in rails upstream [1]
it still would be nice to know where to put the trusted_ips - directive in redmine so I can see real IPs instead of localhost in the log.
I tried following inside config/application.rb:
config.action_dispatch.trusted_proxies = nil
I also tried adding this line according to : [2]
config.action_dispatch.ip_spoofing_check = false
It still says 127.0.0.1 in production.log - looks like redmine is not supported behind a reverse proxy - maybe this should be documented somewhere in the docs? Or has anyone found a solution to this old problem?
Kind Regards,
Matt
Updated by Andrey K over 4 years ago
I was able to get a real IP in the log after adding the file:
<redmine_home>/config/additional_environment.rb
config.action_dispatch.trusted_proxies = %w(127.0.0.1 ::1).map { |proxy| IPAddr.new(proxy) }
config.middleware.insert_before(Rails::Rack::Logger,
ActionDispatch::RemoteIp,
true,
config.action_dispatch.trusted_proxies)
source
Environment: Redmine version 4.1.1.stable Ruby version 2.5.7-p206 (2019-10-01) [x86_64-linux-gnu] Rails version 5.2.4.2