Audit Log - Real IP Address

thiago · December 12, 2023, 8:16pm

Hello,

We have deployed our privacyIDEA behind a reverse proxy:

< Client > - < Cloud Load Balancer > - < HA Proxy > - < NGINX >.
177.45.102.168 - 10.123.128.15 - 10.123.130.5 - 10.123.130.30

HA Proxy is sending the real client IP (header X-Forwarded-For) according NGINX access logs:

10.123.130.5 - - [12/Dec/2023:17:03:48 -0300] “POST /auth HTTP/1.1” 401 755 “https://pi.xxx.xxx/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 OPR/105.0.0.0” “177.45.102.168, 10.123.128.15”

Real IP Address: “177.45.102.168”.

But in audit log I can only see the IP address of the reverse proxy: “10.123.130.5”.

Is there a way to log in audit log the real IP address?

Cheers,

Thiago.

thiago · December 12, 2023, 8:27pm

Just an update, setting the option “Override Authorization Clients” to “0.0.0.0/0” changes the Audit log IP to the load balancer, in front of HA Proxy (10.123.128.15).

The architecture in fact is:

< Client > - < Cloud Load Balancer > - < HA Proxy > - < NGINX >.
177.45.102.168 - 10.123.128.15 - 10.123.130.5 - 10.123.130.30

Cheers,

thiago · December 14, 2023, 12:28pm

I managed the issue by disabling the “forwardfor” option in HA Proxy, so the “X-Forwarded-For” header only contains one IP (the public one sent by the cloud load balancer). privacyIDEA audit logs capture the last IP from the “X-Forwarded-For” header. The “X-Forwarded-For” header can have more than one address if there is more than one reverse proxy. I believe this issue is more focused on infrastructure than privacyIDEA itself.