use X-Forwarded-For when remote is 127.0.0.1

This starts out as almost a HOWTO, and ends with a feature request.

To make Directadmin operating via https (i.e., SSL) on port 2222 also accessible via http (i.e., no SSL), one solution is to uncomment the references to mod_proxy in httpd.conf, then create a user and add a custom httpd configuration for that user that contains:

ProxyRequests Off
ProxyPass / https://localhost:2222/
ProxyPassReverse / https://localhost:2222/

This causes incoming non-SSL hits on port 80 for that user's domain to be proxied by Apache to reach Directadmin. If the user's domain was 'insecure.example.com', then connecting to http://insecure.example.com/ will cause you to reach the SSL-enabled Directadmin server on port 2222.

The same could be done using stunnel.

Now here is where the feature request comes in. Accesses on non-SSL port 80 as above will appear to the Directadmin server to come from 127.0.0.1. This has two adverse effects. (a) If somebody breaks into a user's account and accesses his Directadmin control panel via port 80, the user's login history wil show only 127.0.0.1 and not the intruder's actual IP address. (b) Directadmin's "Blacklist IPs for excessive login attempts" feature won't prevent intrusion attempts because login attempts will all appear to come from 127.0.0.1.

The solution, and feature request, is that the Directadmin server should parse any X-HTTP-Forwarded-For header in an incoming connection and, if and only if the remote IP address is 127.0.0.1, then Directadmin should use the first IP address contained in the X-Http-Forwarded-For header as the IP address to use in the user's login history and for detecting excessive login attempts. I am almost sure that Apache's mod_proxy adds this header by default.

Rahul

bump! bump!

If the check was done, this would only prevent the adding of the 127.0.0.1 IP to the blacklist. It wouldn't prevent connection because the block is done before any information is received.. the connection is totally blocked and never accepted if the given IP is blocked.. thus an X-Forwarded IP can never be seen as no header data is read in in the first place.

I'll have to look over what the consequences of adding this would be... for example, we don't want people spoofing anything locally and pretending that the connection came from an admin IP for example.. thus blocking someone who didn't actually send the request. Might be tricky to sort out.

John

what about displaying a block page instead of adding it to the blacklist or atleast display the real ip in login history.

BUMP! Having '127.0.0.1' in /var/log/directadmin/login.log makes it impossible to protect DA with fail2ban:

2015:01:26-22:55:37: '127.0.0.1' 10 failed login attempt. Invalid account '******'
2015:01:26-22:55:47: '127.0.0.1' 11 failed login attempts. Account '******'
2015:01:26-23:29:01: '127.0.0.1' 2 failed login attempts. Account '******'
2015:01:26-23:29:09: '127.0.0.1' 3 failed login attempts. Account '******'
2015:01:26-23:29:21: '127.0.0.1' 4 failed login attempts. Account '******'

x_forwarded_from_ip=127.0.0.1 is nice feature for Directadmin proxying but it still looks unfinished, since bruteforce protection problem still not solved.
I have sucessfully added redirection from nginx 443 port to directadmin 2222 (http)
And all works just fine except bruteforce protection.
DirectAdmin have internal IP blacklisting feature along with bruteforce monitor (BFM) but both of them is useless for proxied directadmin connections.
I haven't found a way to add directadmin's login.log to BFM, and haven't found any custom script for directadmin excessive login attempts event(