Opened 8 years ago

Closed 8 years ago

#694 closed Feature Wish (wontfix)

port-share change all https-request-IPs to localhost

Reported by: openfish Owned by:
Priority: minor Milestone:
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: port-share IP, feature wish, x-forwarded-for
Cc:

Description

Hallo,

port-share is a nice feature. But in apache all requests look to come from localhost. So it isn't possible to use .htaccess with "Require ip" and see remotly(-atackers) IPs in access.log. That is a risc.

Can you chance to forward original IP by using port-share?

with regards
openfish

Change History (3)

comment:1 Changed 8 years ago by Gert Döring

Keywords: feature wish x-forwarded-for added
Severity: Patch Queue: New / awaiting ACKNot set (if unsure, select this one)
Type: TODO (General task list)Feature Wish
Version: 2.3.4git master branch

This is the way it works: openvpn opens a new socket to the https server, and proxies the connection by copying bytes in and out.

To provide the original remote IP, one would have to add a header (X-Forwarded-For:) and pull this out of the stream by apache module mod_remoteip - but we're currently not doing so. It might be a nice feature to add to 2.4, but it won't come to 2.3

comment:2 Changed 8 years ago by Eric Crist

cron02's suggestion of adding the X-Forwarded-For is the correct one. The web server would need to process that information, then.

comment:3 Changed 8 years ago by Gert Döring

Resolution: wontfix
Status: newclosed

Umm. Silly me. This is https, not http, and we're not decrypting the https client's SSL, just forwarding TCP traffic - so we cannot insert headers.

Sorry.

Note: See TracTickets for help on using tickets.