web_php.log + Fail2Ban + reverse proxy

Discussions related to the 1.36.x series of ZoneMinder
Post Reply
jijcob
Posts: 3
Joined: Tue Sep 14, 2021 2:46 pm

web_php.log + Fail2Ban + reverse proxy

Post by jijcob »

Hi all,

Here is the http flow for my Zoneminder setup:

client --> haproxy --> apache --> zoneminder

Everything works great, however when looking in web_php.log (via fail2ban) -- there is this problem:

09/03/21 09:28:11.764780 web_php[453].ERR [127.0.0.1] [Could not retrieve user zzdfiuy details] at /usr/share/zoneminder/www/includes/auth.php line 313

In my Apache logs, I've been able to successfully add the X-Forwarded-For header containing the real IP address of the client there. I've looked around quite a bit on the topic, but I've not found a solution. Is there a way to replace the "127.0.0.1" in the web_php.log that shows up behind a reverse proxy with the X-Forwarded-For header?

Thanks in advance
jijcob
Posts: 3
Joined: Tue Sep 14, 2021 2:46 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by jijcob »

Hi all,

I was able to find a solution (of sorts) -- in includes/logger.php, I replaced REMOTE_ADDR with HTTP_X_FORWARDED_FOR in these two places:

Code: Select all

$this->hasTerm = (php_sapi_name() == 'cli' && empty($_SERVER['HTTP_X_FORWARDED_FOR']));
and

Code: Select all

 $this->id, getmypid(), $code, $_SERVER['HTTP_X_FORWARDED_FOR'], $string);
I'm running 1.36.5-1 at the moment, and I realize this is not a long-term fix, but it does result in the actual client IP showing up in the web_php.log:

Code: Select all

09/03/21 09:28:11.764780 web_php[453].ERR [8.8.8.8] [Could not retrieve user zzdfiuy details] at /usr/share/zoneminder/www/includes/auth.php line 313
Assuming no objection, I'll look to file this as an issue on the Github repo. Unfortunately, I don't know enough about PHP to 'properly' change this, nor about underlying Zoneminder architecture to do a proper pull request.

Hope this helps someone in the meantime...
User avatar
kitkat
Posts: 193
Joined: Sun Jan 27, 2019 5:17 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by kitkat »

You should be able to use mod_remoteip (Apache 2.4.6 and later) or mod_rpaf which read the X_FOWARDED_FOR header and set REMOTE_ADDR correctly.

I use mod_rpaf on a few PHP-based sites hosted behind reverse proxies and they all see the correct remote address.
jijcob
Posts: 3
Joined: Tue Sep 14, 2021 2:46 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by jijcob »

Ah, very nice! Didn't even think this angle.

Thank you!
manuroma
Posts: 12
Joined: Fri Jan 15, 2021 1:06 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by manuroma »

sorry for my post, I'm trying to log in via reverse proxy but with poor results, I also have haproxy and pfsense and on ha proxy I already have a service that works, only with zm I can't get it to work, I would like to use https up to the reverse proxy which runs the call on zm's http
BlueH2O
Posts: 55
Joined: Thu Aug 12, 2010 10:33 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by BlueH2O »

kitkat wrote: Thu Sep 16, 2021 2:15 pm I use mod_rpaf on a few PHP-based sites hosted behind reverse proxies and they all see the correct remote address.
Could you tell me how you set this up? I have this module installed and set RPAF_ProxyIPs with the IP address of the proxy, but still only the proxy is being logged and not the X-Forwarded-For address.
User avatar
kitkat
Posts: 193
Joined: Sun Jan 27, 2019 5:17 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by kitkat »

BlueH2O wrote: Mon Aug 08, 2022 7:13 pm
kitkat wrote: Thu Sep 16, 2021 2:15 pm I use mod_rpaf on a few PHP-based sites hosted behind reverse proxies and they all see the correct remote address.
Could you tell me how you set this up? I have this module installed and set RPAF_ProxyIPs with the IP address of the proxy, but still only the proxy is being logged and not the X-Forwarded-For address.
This is the contents of one of my /etc/httpd/conf.d/mod_rpaf.conf files:

Code: Select all

LoadModule              rpaf_module modules/mod_rpaf.so
RPAF_Enable             On
RPAF_ProxyIPs           127.0.0.1 10.201.21.0/24 12.34.56.78 123.45.67.89
RPAF_SetHostName        On
RPAF_SetHTTPS           On
RPAF_SetPort            On
RPAF_ForbidIfNotProxy   On
I didn't have to set 'RPAF_Header X-Forwarded-For' but I guess it may help if you haven't done so.
BlueH2O
Posts: 55
Joined: Thu Aug 12, 2010 10:33 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by BlueH2O »

Interesting, the option names are not quite the same in my version, plus there is this:
This module should be considered as deprecated after Jessie.
User avatar
kitkat
Posts: 193
Joined: Sun Jan 27, 2019 5:17 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by kitkat »

BlueH2O wrote: Mon Aug 08, 2022 10:11 pm Interesting, the option names are not quite the same in my version, plus there is this:
This module should be considered as deprecated after Jessie.
There are a few versions of mod_rpaf floating around - This is the one I'm using: https://github.com/gnif/mod_rpaf

And yeah, it's very old and deprecated (by mod_remoteip?) but I'm using it on out-of-date CentOS 6.1 machines and it's about the only option out there.
BlueH2O
Posts: 55
Joined: Thu Aug 12, 2010 10:33 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by BlueH2O »

kitkat wrote: Tue Aug 09, 2022 8:57 am And yeah, it's very old and deprecated (by mod_remoteip?) but I'm using it on out-of-date CentOS 6.1 machines and it's about the only option out there.
Yes by mod_remoteip.I'm using Debian bullseye.
BlueH2O
Posts: 55
Joined: Thu Aug 12, 2010 10:33 pm

Re: web_php.log + Fail2Ban + reverse proxy

Post by BlueH2O »

Well.. I've tried rpaf (did nothing) remoteip (did nothing) and changing the log format string for apache (works for apache but not web_php.log)
Still all I can get in the web_php.log is the proxy IP. :( I don't have huge amounts of time to put in to this so I'll have to shelve it for a while.
Post Reply