Opened 8 years ago
Closed 8 years ago
#694 closed Feature Wish (wontfix)
port-share change all https-request-IPs to localhost
Reported by: | openfish | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN git master branch (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | port-share IP, feature wish, x-forwarded-for |
Cc: |
Description
Hallo,
port-share is a nice feature. But in apache all requests look to come from localhost. So it isn't possible to use .htaccess with "Require ip" and see remotly(-atackers) IPs in access.log. That is a risc.
Can you chance to forward original IP by using port-share?
with regards
openfish
Change History (3)
comment:1 Changed 8 years ago by
Keywords: | feature wish x-forwarded-for added |
---|---|
Severity: | Patch Queue: New / awaiting ACK → Not set (if unsure, select this one) |
Type: | TODO (General task list) → Feature Wish |
Version: | 2.3.4 → git master branch |
comment:2 Changed 8 years ago by
cron02's suggestion of adding the X-Forwarded-For is the correct one. The web server would need to process that information, then.
comment:3 Changed 8 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Umm. Silly me. This is https, not http, and we're not decrypting the https client's SSL, just forwarding TCP traffic - so we cannot insert headers.
Sorry.
Note: See
TracTickets for help on using
tickets.
This is the way it works: openvpn opens a new socket to the https server, and proxies the connection by copying bytes in and out.
To provide the original remote IP, one would have to add a header (X-Forwarded-For:) and pull this out of the stream by apache module mod_remoteip - but we're currently not doing so. It might be a nice feature to add to 2.4, but it won't come to 2.3