Re: [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support

From: Thomas Skinner <thomas@atskinner.net>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>,
	Thomas Lamprecht <t.lamprecht@proxmox.com>
Subject: Re: [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support
Date: Mon, 25 Nov 2024 17:41:49 -0600	[thread overview]
Message-ID: <CALn9RMf577OHfCX0f_XuVNo+Jk+WUWk_Wkeo6efSwg=tmaDDTg@mail.gmail.com> (raw)
In-Reply-To: <1918265431.10020.1732534276567@webmail.proxmox.com>

On Mon, Nov 25, 2024 at 5:31 AM Fabian Grünbichler
<f.gruenbichler@proxmox.com> wrote:
>
>
> > Thomas Lamprecht <t.lamprecht@proxmox.com> hat am 25.11.2024 12:17 CET geschrieben:
> >
> >
> > Am 25.11.24 um 10:05 schrieb Fabian Grünbichler:
> > > yeah, we could switch to the new format *only* if the header option is set?
> > > as else, the two IPs are identical anyway, so logging the same one twice
> > > while breaking the format provides no benefit?
> > >
> > > and then maybe with 9.0 switch the format unconditionally, so that
> > > parsers/fail2ban configs only need to handle one of them going forward..
> >
> > Sounds fine to me. Albeit for some this still might break, if they already
> > use a reverse proxy now – but these people at least could not have any
> > (working) fail2ban, as they just would have banned the IP of their reverse
> > proxy, so it should be fine I think.
>
> it would still require enabling the new feature on the pveproxy side (that's what I meant with "header option", not that the default header is set on the HTTP request), so it's completely opt-in?

Yes, to log the real client IP from the proxy, the header would need
to be set in the PROXY_REAL_IP_HEADER option anyway to even get the
data. If anything, having the option would help those with the
"broken" fail2ban have the real client IP data instead of the proxy
IP.

I don't have any issues with keeping the format as-is and logging the
real IP instead of the peer IP. This can be covered in the docs and
would have to be explicitly enabled to change the current logging
behavior. This way the patch doesn't break any existing log analyzer
but the feature is there available for the user. The TRUSTED_PROXY_IPS
helps with the risk of not logging the proxy/peer IP by limiting the
list of sources that can set the header.

> > btw., and sorry if I just missed this on reading, how do others log this?
> > I.e., is there any somewhat common format and does this patch already
> > adheres to that format?
>
> that would indeed be nice to know! :)
>

I'm not sure that there is or is not a standard for logging the client
IP and peer/proxy IP information together. In my experience, it has
been a custom log format (specifically in Apache httpd) to output both
of them. Across products, for web-based logs, I've seen Apache/NCSA
style, semi-structured key/value text, or structured JSON objects. I'd
argue that the JSON is the most compatible since it explicitly labels
the data fields, but that would be a breaking change from what PVE is
doing now for logging, and it's not friendly for human readability.

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel