SOLVED: Real IP behind reverse proxy (nginx) for logentrys (f.e. fail2ban)

Discussions related to the 1.36.x series of ZoneMinder
Post Reply
nepixl
Posts: 5
Joined: Tue Oct 25, 2022 7:38 am

SOLVED: Real IP behind reverse proxy (nginx) for logentrys (f.e. fail2ban)

Post by nepixl »

SOLUTION IN THE LAST POST


Hello :)

at first: great project! I do really appreciate this project and the work behind. Awesome community ♥

And here is my problem:
I've set up a Ubuntuserver with ZoneMinder. Everything is working except the original IP from then external User inside the logs.

Surrounding:
I've set up a nginx reverse proxy -> Apache

Here the config:

Code: Select all

 
 server {
    listen 443 http2;
    ssl on;
    ssl_certificate /cert.pem;
    ssl_certificate_key /privkey.pem;
    server_name *snipped*;
    access_log /var/log/nginx/nginx.*snipped*.*snipped*.log;
    error_log /var/log/nginx/nginx.*snipped*.*snipped*.log;

    #not sure if this is really needed:
      add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-Content-Type-Options "nosniff";
      add_header X-Permitted-Cross-Domain-Policies none;
      add_header X-XSS-Protection "1; mode=block";


 location / {
    proxy_pass http://*snipped*:81/;
    proxy_connect_timeout    300;
    proxy_send_timeout       300;
    proxy_read_timeout       300;
    send_timeout                     300;
    
    #not sure if this is really needed:
       proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
       proxy_redirect off;
       proxy_set_header        Host            $host;
       proxy_set_header        X-Real-IP       $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
Access (even from zmNinja Pro)from external is working great. But I want to use Fail2ban which is already set up and running (with correct regex) but: how can I config that the real IP is showing inside the logs?
cat /var/log/zm/web_php.log | tail
2022/10/25 09:22:03.489700 web_php[70704].ERR [192.168.xxx.yyy] [Could not retrieve user c details] at /usr/share/zoneminder/www/includes/auth.php line 322
Any help is appreciated <3

Thank you and best regards,
pixl
Last edited by nepixl on Wed Oct 26, 2022 5:27 am, edited 4 times in total.
nepixl
Posts: 5
Joined: Tue Oct 25, 2022 7:38 am

Re: Real IP behind revers proxy for logentrys (fail2ban)

Post by nepixl »

Since this is implemented,

Code: Select all

return  (
              ( isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on' )
              or
              ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and ( $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' ) )
            ) ? 'https' : 'http';
  }
my nginx config should look like this:

Code: Select all

       
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Proto $scheme;
I've tried that but still local IP in web_php.log.

Any ideas? :(
nepixl
Posts: 5
Joined: Tue Oct 25, 2022 7:38 am

Re: Real IP behind revers proxy for logentrys (fail2ban)

Post by nepixl »

Bump.

No one an idea? :(

If I forget some information, please let me know.
Also I've searched this board for some solutions but nothing what is helping me.

Hopefully someone could help.

Thank you in advance,
BR
User avatar
iconnor
Posts: 2862
Joined: Fri Oct 29, 2010 1:43 am
Location: Toronto
Contact:

Re: Real IP behind revers proxy for logentrys (fail2ban)

Post by iconnor »

Change /usr/share/zoneminder/www/includes/logger.php line 368, replace REMOTE_ADDR with HTTP_X_FORWARDED_HOST
nepixl
Posts: 5
Joined: Tue Oct 25, 2022 7:38 am

Re: Real IP behind revers proxy for logentrys (fail2ban)

Post by nepixl »

Awesome, thank you for your reply.

Now I see the fqdn of the server itself.

Code: Select all

2022/10/25 16:30:40.020139 web_php[2868].ERR [sub.domain.xy] [Could not retrieve user trhrt details] at /usr/share/zoneminder/www/includes/auth.php line 322
my nginx config at the moment:

Code: Select all

server {
    listen 443 http2;
    ssl on;
    ssl_certificate /cert.pem;
    ssl_certificate_key /privkey.pem;
    
    server_name sub.domain.xy;
    
    access_log /var/log/nginx/nginx.*snipped*.access.log;
    error_log /var/log/nginx/nginx.*snipped*.error.log;
 location / {
  proxy_pass http://192.168.xxx.yyy:81/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

}
is this correct?! Any help is appreciated.

Thank you!

Edith: anything is working perfectly. App, Stream, load of server, .. like a charm! except the fail2ban log thing :(
Edith²: Do I have to change something on the apacheside? Usually not (its not my first reverse proxy but this time it gets hard :D)
nepixl
Posts: 5
Joined: Tue Oct 25, 2022 7:38 am

Re: Real IP behind revers proxy for logentrys (fail2ban)

Post by nepixl »

Since noone wants explain that correctly, I'll do this for the next one.

At first: IT IS NOT NECESSARY TO EDIT Zoneminder FILES
Change /usr/share/zoneminder/www/includes/logger.php line 368, replace REMOTE_ADDR with HTTP_X_FORWARDED_HOST
THIS IS NOT NEEDED!


Zoneminderversion: v1.36.31

Edit nginx conf
default.conf or what you want #default nginx site

Code: Select all

vim /etc/nginx/conf.d/default.conf
add proxy_set_header for location

Code: Select all

location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_pass http://192.168.xxx.yyy:81/;
    }
create a new conf file for Apache

Code: Select all

vim /etc/apache2/conf-available/remoteip.conf
and add

Code: Select all

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 192.168.xxx.yyy #IP from proxy_pass
Activate this conf with

Code: Select all

a2enconf remoteip
service apache2 restart
And now /var/log/zm/web_php.log and $SERVER['REMOTE_ADDR'] have the real IP:
2022/10/26 06:40:29.443236 web_php[5218].ERR [217.85.xxx.yyy] [Could not retrieve user testlogin details] at /usr/share/zoneminder/www/includes/auth.php line 322
Fail2Ban Test:
Running tests
=============

Use failregex filter file : zoneminder, basedir: /etc/fail2ban
Use log file : /var/log/zm/web_php.log
Use encoding : UTF-8


Results
=======

Failregex: 2 total
|- #) [# of hits] regular expression
| 1) [2] ^\s*web_php\[\d+\]\.ERR \[<HOST>\].*includes/auth.php
| 192.168.xxx.yyy Wed Oct 26 06:40:11 2022
| 217.85.yyy.xxx Wed Oct 26 06:40:29 2022
Used regex for fail2ban config:

Code: Select all

failregex = ^\s*web_php\[\d+\]\.ERR \[<HOST>\].*includes/auth.php
F2B is now working and banning (if active)

Thanks for this project.

Have a good time :)
Greetings
Post Reply