Headers High Availability IP (x_forwarded_from_ip), how to?

Livonias

Verified User
Joined
Oct 11, 2019
Messages
14
Hello,

I am using a High Availability IP from TransIP: https://www.transip.eu/knowledgebase/entry/522-what-are-different-modes-ha-ip/

However this displays/outputs the same IP address for all visitors as the server IP.
Like they say by theirselves: "The 'remote' IP headers will not be forwarded, so your server has no way of knowing which IP is the original visitor. "

Their support told me that this should be able to fix by using headers that display the original IP.
I think this is related to: https://www.directadmin.com/features.php?id=1825

However I've tried this:
./directadmin set x_forwarded_from_ip 86.105.245.12
and
./directadmin set x_forwarded_from_ip 136.144.202.160
and even
./directadmin set x_forwarded_from_ip 86.105.245.12:136.144.202.160

Explanation: 86.105.245.12 is the IP from the HA-IP
136.144.202.160 is my vps' ip address.

Some DA details:
Compiled onCentOS 8.0 64-Bit
Compile DateSep 29 2020, 15:06:21
Server Version1.61.5
I'm using apache as webserver.

Can anyone help me understanding how to configure this correctly? At this moment all traffic comes from the same IP which makes it impossible to configure the firewall to auto ban bruteforcers and so on, since this would instantly block all traffic at all :)

I normally would submit a ticket, but License Type External license says I cant submit a ticket?
Thank you!
 
Also want to add:

In the bruteforce monitor all traffic / login attempts are logged as:

136.144.151.253
136.144.151.254
136.144.151.255

Which are ip addresses that are connected to the HA-IP if I understood correctly.

Edit: On a test.php file I tried some different values, and this:
$_SERVER['HTTP_X_FORWARDED_FOR'];
echo's my home ip (which should be shown as ip for traffic)

$_SERVER['SERVER_ADDR'];
this shows 136.144.202.160

Thank you so much. Justin
 
Did you know about cloudfalre ?

REMOTE_ADDR is main network comunication, anything else it's just bind like " X-Forward-For "

It also same action that every firewall is get IpAddress from REMOTE_ADDR and not X-Forward-For or anyelse
Proxy isn't pass Visitor to loaded directly to target server,


that impossible to config firewall again proxy like that
that why Cloudflare has port list like this to prevent abuse likely SSH, FTP, ... Bruteforce

Code:
HTTP ports supported by Cloudflare:

80
8080
8880
2052
2082
2086
2095
HTTPS ports supported by Cloudflare:

443
2053
2083
2087
2096
8443


but nginx or apache has ability : set_real_ip_from


IF you want to setting firewall, should setting on Proxy Server.
 
Thanks jamgames2 for your reply!

The HA-IP does have a firewall built in and only opens ports I define. However All I try to achieve is that DirectAdmin actually logs the real ip from a visitor instead of the server ip. In that case the BFM can ban on those information.

Also maybe interesting to add, when I echo the REMOTE_ADDR, it randomly shows one of these ip's:

89.41.168.61
89.41.168.62
89.41.168.63

Which, according to TransIP documentation, are ip's connected to the High Availability IP.
 
Thanks jamgames2 for your reply!

The HA-IP does have a firewall built in and only opens ports I define. However All I try to achieve is that DirectAdmin actually logs the real ip from a visitor instead of the server ip. In that case the BFM can ban on those information.

Also maybe interesting to add, when I echo the REMOTE_ADDR, it randomly shows one of these ip's:

89.41.168.61
89.41.168.62
89.41.168.63

Which, according to TransIP documentation, are ip's connected to the High Availability IP.
Are you install csf firewall on DA?

You just add ignore ip with this option.
 
Are you install csf firewall on DA?

You just add ignore ip with this option.
Yes, csf is installed and active.

Ignoring the ip's will prevent them being blocked, but doesn't solve the issue that I don't see visitors IP's (and can't filter on them, block them, and so on) if I understand correctly.
 
Yes, csf is installed and active.

Ignoring the ip's will prevent them being blocked, but doesn't solve the issue that I don't see visitors IP's (and can't filter on them, block them, and so on) if I understand correctly.
You should filter on your Proxy Server,
you'll see option csf.cloudflare || this option will auto block directly through cloudflare API


So about real visitor IP,

Are you try
service directadmin restart

after set it ?
 
Also tried and didn't work:

I'm actually thinking if this is a directadmin thing or apache thing. Afraid it's apache, but if anyone can help me understand this better it's highly appreciated :)

# httpd -v
Server version: Apache/2.4.46 (Unix)
Server built: Nov 30 2020 23:08:30

You should filter on your Proxy Server,
you'll see option csf.cloudflare || this option will auto block directly to cloudflare API


So about real visitor IP,

Are you try
service directadmin restart

after set it ?

I don't have cloudflare. I tried restarting directadmin after changing values, yep.
 
Direcadmin Panel use only itself not need nginx or apache
if X-Forwarded-For doesn't work
You should try debug where IpAddress forwarded variable

with your browser Developtool, in most shortkey : ctrl+shift+c

something like bug from DA itself about get visitor for log, token, plugins .. , etc.
that mention it

Code:
Keep in mind that for some things, this feature will not work in every case.
For example, the DA IP blacklist is checked prior to the headers being read in, so won't work for the block itself.
But for most other areas, like the actual count of failed logins (and adding the true client IP to the blacklist) will still work (but in the case of the IP blacklist, they won't actually be blocked due to the IP mismatch)
Every thing else should show the correct X-Forwarded-For IP address, such as logs, tokens, plugins, scripts, etc..
 
Well I'll work with whatever is technical possible blacklist/ip-wise. I have no idea how to continue from this point tho.
 
IP Blacklist should make from your Proxy

In my example about csf.cloudflare
it block spam like bruteforce or login fail with curl API

then you just need make API sync data blacklist from DA to Proxy Server, and do blacklist in here
 
Ok well completely apart from the blacklisting, I'd still want to receive the users IP instead of the proxy IP.

Does anybody know if this is possible?
 
Try to add this in your apache config where 1.2.3.4 is the proxy ip (we use this on haproxy setups).

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 1.2.3.4/32

Make sure apache has the remote_ip module included (is default with DA afaik).
 
Try to add this in your apache config where 1.2.3.4 is the proxy ip (we use this on haproxy setups).

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 1.2.3.4/32

Make sure apache has the remote_ip module included (is default with DA afaik).

# httpd -l | grep mod_remoteip.c
mod_remoteip.c

If I'm correct this means the remote_ip module is included.
Which IP would you think I should use for the RemoteIPTrustedProxy looking to all different ips I see coming through?

86.105.245.12 (HA-IP)
136.144.202.160 (VPS)

Or all ips I see in logging that connect with the server?
89.41.168.61
89.41.168.62
89.41.168.63
136.144.151.253
136.144.151.254
136.144.151.255
 
Actually, you don't really need to specify the ip-address. The 'RemoteIPHeader X-Forwarded-For' should be enough. Als check the apache docs about the remote_ip module for other settings.
 
Back
Top