EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #09008


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Finding remote IP


CAUTION: This e-mail originated outside the University of Southampton.

Hi Matt,

I think this discussion: https://github.com/eprints/eprints/issues/214 may be useful.

This was around Apache 2.2 / 2.4 changes, but relevant to your question.

 

The $repo->remote_ip will deal with X-Forwarded-For headers, and presents the client IP.

IMO, this is OK for logging requests.

 

For use in security.pl, you need to work out where your trust ends.

e.g. if you are presented with a chain of 4 IP addresses in an X-Forwarded-For header, you may only want to trust those that you are in control of.

Anything beyond a proxy that you (or your institution) are in control of could be spoofing information.

 

Let me know if that helps, or if you want more details.

 

Cheers,

John

 

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Matthew Brady via Eprints-tech
Sent: 13 July 2022 01:55
To: eprints-tech@ecs.soton.ac.uk
Subject: [EP-tech] Finding remote IP

 

CAUTION: This e-mail originated outside the University of Southampton.

Hi All,

 

In the 3.3.16 codebase we use, there is a section within the security.pl file, to allow decisions to be made based on where the request comes from.. which has been in place for 10+ years,

 

my $ip = $r->connection()->remote_ip();

 

Changes within our systems space (proxies, load balancers et. al.), now see this call returning the wrong IP.  Not getting the actual requester machine IP, but an intermediatory.

The curious thing is, the Apache access logs, and the details stored via LogHandler.pm (details stored in db access table), have the correct IP.

It uses the following two lines to get the ip….

 

my $doc = $r->pnotes( "document" );

my $ip = $doc->repository->remote_ip;

      

Just wondering if anyone with understanding of the perl magic that’s going on, can foresee problems using the LogHandler code within the security.pl.

Testing so far shows it produces the correct results for whitelisting etc, within the security.pl logic.

 

 

Cheers,

 

Matt

 

__________________________________________________________________

This email (including any attached files) is confidential and is 

for the intended recipient(s) only. If you received this email by 

mistake, please, as a courtesy, tell the sender, then delete this 

email.

The views and opinions are the originator's and do not necessarily 

reflect those of the University of Southern Queensland. Although 

all reasonable precautions were taken to ensure that this email 

contained no viruses at the time it was sent we accept no 

liability for any losses arising from its receipt.

The University of Southern Queensland is a registered provider 

of education with the Australian Government.

(CRICOS Institution Code QLD 00244B / NSW 02225M, TEQSA PRV12081)