X-Forwarded-For and X-Real-IP Support
Opened this issue · 2 comments
Currently I use my own domain and a nginx container to access Unraid webGui when I‘m not home because somehow Unraid Connect is not working in my case. LAN address is 192.168.31.72. However, once I (or someone) triggered Failed Login Restrictions, I cannot login anymore even after connecting to a different network to change my actual IP address. Because of the reverse proxy, $remote_addr is always set to 192.168.31.72 when I’m using my own domain to login. Can you add support for X-Forwarded-For and X-Real-IP so Unraid webGui can apply failed login restrictions correctly on the actual IP address instead of the LAN address 192.168.31.72?
Just in case this is missed - support for X-Forwarded-For and X-Real-IP should be disabled by default (so the admin explicitly has to enable them in the settings somewhere). If this is implemented and enabled by default it allows an attacker to easily circumvent IP bans by just sending these headers.
Ideally, there should also be an (additional) optional parameter to only allow / parse these HTTP headers coming from source IPs in a particular subnet - that way you can configure Unraid to only parse these headers when coming from your local reverse proxy and not when they're coming from elsewhere.
Looks like the nginx binary in Unraid is compiled with the --with-http_realip_module option which should make this fairly easy to add. All that would be needed is some config page that adds entries like these to the nginx config:
set_real_ip_from 192.168.31.72/32;
set_real_ip_from 2001:db8:1234:5678::72/128;
real_ip_header X-Forwarded-For;
I'm going to test these and see if that's enough to make that work.