Add a Directive to get a Proxied Client's IP Address (Closes #341)#342
Add a Directive to get a Proxied Client's IP Address (Closes #341)#342thekief wants to merge 2 commits intoowasp-modsecurity:masterfrom
Conversation
thekief
changed the title
|
|
Please let me know, if the whitespace changes in the readme should be removed. I made the changes using VS Codium and didn't know that it forces a newline encoding. |
No worries, that's in a good place. Anyway, thanks for the PR - I'm thinking about we should add new test cases for each new PR (which adds a new feature - like this). I mean please take a look at the regression test file of this repository, how could we make a config where we can see that the modified code does what the author wants. And this is important, because if someone in the future sends a new PR, we must be sure this behavior does not change. Do you have any idea? |
|
Yeah, I have an idea for a test case. If that's alright with you, I would add 2 new endpoints to the test configuration:
What do you think of that? Footnotes |
|
Hi @thekief, I tried to check your patch, but may be I'm doing something wrong, I can't see the client's IP in my log. Here is my config: As you can see I created a simple vhost for static files, there I turned on modsecurity, load rules and turned on your new feature. I also set a separated logs (both access and error). Below that I created a proxy which sends all requests to that site. Here is how I checked that: where With this request I get this line in my error.log: Where should I see my client IP instead of Or may be I misunderstand something. |
|
To clear up a small misunderstanding, the "Proxy Protocol" I am talking about, is specified in the I will add an example configuration tomorrow. Footnotes |
Thanks - then I can help you to create test cases. And of course, examples are always helpful. |
|
Just a quick update that I couldn't get to it yet, as some other things were more pressing. I should have something working by Monday 😅 |
|
@thekief any update on this? |
|
Hi,
So, for example we could use If |
|
Regarding configuration, I would have done the following: nginx.conf: pid /tmp/nginx.pid;
error_log /dev/stdout info;
events {
worker_connections 2000;
}
user www-data;
http {
server {
listen 8080 proxy_protocol;
root /var/www/html;
index index.html;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity_includes.conf;
modsecurity_proxy_protocol_ip off;
location / {
return 200;
}
}
server {
listen 8081 proxy_protocol;
root /var/www/html;
index index.html;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity_includes.conf;
modsecurity_proxy_protocol_ip on;
location / {
return 200;
}
}
}REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf: Resulting in the following output when executing {"transaction":{"client_ip":"172.21.0.1","time_stamp":"Wed Jun 11 13:32:17 2025","server_id":"575f816b3c1769ef25a49fc7dcabe0a096d605ee","client_port":37068,"host_ip":"172.21.0.2","host_port":8080,"unique_id":"17496487374.770509","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"localhost:8080","User-Agent":"curl/8.14.1","Accept":"*/*","Animal":"worm"}}...If {"transaction":{"client_ip":"123.123.123.123","time_stamp":"Wed Jun 11 13:32:12 2025","server_id":"575f816b3c1769ef25a49fc7dcabe0a096d605ee","client_port":42630,"host_ip":"172.21.0.2","host_port":8081,"unique_id":"174964873292.593363","request":{"method":"GET","http_version":1.1,"uri":"/","headers":{"Host":"localhost:8081","User-Agent":"curl/8.14.1","Accept":"*/*","Animal":"worm"}}... |
with this request I got a |
|
Sorry for the late reply. Did you check the ModSecurity logs? They are relevant, as I could already previously modify the nginx configuration as needed. Please retest it and let me know. |
2 participants
As written in #341, this patch adds functionality to obtain a client's IP address, if the request has been proxied using the Proxy Protocol.
Besides the check, if the option is enabled, I added a check if the Proxy Protocol is actually being used.