[Xymon] Use X-Forwarded-For header for client IP?

[Shawn Heisey]

On 6/24/2021 2:41 AM, Jeremy Laidman wrote:
> Xymon's enadis CGI gets the IP address from the webserver's 
> REMOTE_HOST or REMOTE_ADDR variables. Depending on the web server 
> you're using, there may be zero or more ways to make this work.
>
> For instance, there are Apache modules that can do this: mod_rpaf 
> (reverse proxy add forward), mod_extract_forwarded and mod_remoteip 
> <https://httpd.apache.org/docs/current/mod/mod_remoteip.html>(the 
> latter seemingly the most common method, but also seems to be the most 
> feature-full = complicated). Also, it's possible to use SetEnvIf to 
> capture the IP address from the header and assign it to REMOTE_ADDR 
> (although note that there can be multiple IP addresses in an 
> X-Forwarded-For value if there are multiple proxies in a chain so 
> you'd want to extract the first (left-most) IP to get the client IP).
>
> Be warned that it's trivial for an attacker to create an 
> X-Forwarded-For header, so your reverse proxies should strip this 
> header if it exists, before adding their own. There may be other 
> implications.


I adjusted the haproxy config to remove that header before it adds it 
with the source IP, which will hopefully stop people from doing that.

I installed the rpaf module into apache.  This is very interesting ... 
once I did that, suddenly my xymon-related config stopped working and I 
got "403 Forbidden" errors.  The various parts of the existing xymon 
apache config that only allow localhost were no longer allowing me to 
view the UI (apache mod_authz_core config), because they were now seeing 
the real source address.  But unfortunately, the xymon page still says 
"Disabled by: elyograg @ 127.0.0.1".  So I will look into the patch that 
René provided.  Time to upgrade xymon anyway.

Thanks,
Shawn