How to send the client ip address in forward_auth?

foogle · July 6, 2022, 5:24am

1. Caddy version (`caddy version`):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

a. System environment:

Ubuntu 20
Not using docker
Not using kubernetes

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

?

d. My complete Caddyfile or JSON config:

(auth) {
	forward_auth :9000 {
		uri {path}?remote_ip={remote_addr}
        header_up X-Forwarded-Ip {remote_addr}
		copy_headers Remote-Ip Remote-Addr Remote-User Remote-Groups Remote-Name Remote-Email X-Real-IP
	}
}

3. The problem I’m having:

I want to access the inbound client ip address in the auth server that is responding to forward_auth but all I see in the headers of the inbound auth request is 127.0.0.1 and when I try to write in the ip address in a rewrite it say ‘nil’

{'host': 'editorapi.videopcom', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36', 'accept': '*/*', 'accept-encoding': 'gzip, deflate, br', 'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8', 'content-type': 'application/json', 'origin': 'https://editorfrontend.videop.com', 'referer': 'https://editorfrontend.videop.com/', 'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Google Chrome";v="102"', 'sec-ch-ua-mobile': '?0', 'sec-ch-ua-platform': '"macOS"', 'sec-fetch-dest': 'empty', 'sec-fetch-mode': 'cors', 'sec-fetch-site': 'same-site', 'x-forwarded-foo': '', 'x-forwarded-for': '127.0.0.1', 'x-forwarded-host': 'editorapi.videop.com', 'x-forwarded-method': 'GET', 'x-forwarded-proto': 'http', 'x-forwarded-uri': '/paintbox/my-team/test'}

4. Error messages and/or full log output:

n/a

5. What I already tried:

I’d tried many variations of headers and header names and copying headers and including on the path but nothing.

remote_ip
remote_addr

6. Links to relevant resources:

francislavoie · July 6, 2022, 5:28am

Why do you need this? It’s already passed correctly and safely via the X-Forwarded-For header.

Anyways, the valid Caddyfile placeholder shortcuts are listed here:

foogle · July 6, 2022, 5:30am

x-forwarded-for contains 127.0.0.1

francislavoie · July 6, 2022, 5:40am

Yep, which is the remote address.

foogle · July 6, 2022, 5:45am

Hmmm. OK I must be not understanding something.

When a request comes in, I want to first do a subrequest to my auth server, which based on avalable information about the request (header values/cookies/client ip address) I can then send back a 200 to wave it through the the destination server, or something else to block the request.

I would have thought the auth server would get the client IP address as part of this process. What am I misunderstanding?

francislavoie · July 6, 2022, 5:58am

That’s correct.

What do you see in Caddy’s logs? What’s your entire Caddyfile? Turn on the debug global option and the log directive to see all the logs.

Do you have some other proxy in front of Caddy that might be intercepting the requests, making it look like they’re coming from 127.0.0.1?

foogle · July 6, 2022, 6:29am

You are correct. Following the information you provided I researched further and found a second server redirect which was causing the IP address field to be set to locahost.

I am very impressed and thank you kindly for your level of help.

system · August 5, 2022, 5:24am

This topic was automatically closed after 30 days. New replies are no longer allowed.