From 7afea3df90617a92a52835a8239361413ffff1f1 Mon Sep 17 00:00:00 2001 From: Taloth Saldono Date: Mon, 27 Apr 2020 23:58:35 +0200 Subject: [PATCH] Log Real IP on Authentication failure in case of a reverse proxy closes #3711 --- .../Extensions/IpAddressExtensions.cs | 39 ++++++++----- .../X509CertificateValidationService.cs | 2 +- .../Authentication/AuthenticationService.cs | 56 +++++++++++++++++-- 3 files changed, 76 insertions(+), 21 deletions(-) diff --git a/src/NzbDrone.Common/Extensions/IpAddressExtensions.cs b/src/NzbDrone.Common/Extensions/IpAddressExtensions.cs index bf3e5cc78..573376cdb 100644 --- a/src/NzbDrone.Common/Extensions/IpAddressExtensions.cs +++ b/src/NzbDrone.Common/Extensions/IpAddressExtensions.cs @@ -1,29 +1,40 @@ -using System.Net; +using System.Net; +using System.Net.Sockets; -namespace NzbDrone.Common.Extensions +namespace NzbDrone.Common.Extensions { public static class IPAddressExtensions { public static bool IsLocalAddress(this IPAddress ipAddress) { - if (ipAddress.ToString() == "::1") + if (ipAddress.IsIPv6LinkLocal) { return true; } - byte[] bytes = ipAddress.GetAddressBytes(); - switch (bytes[0]) + if (IPAddress.IsLoopback(ipAddress)) { - case 10: - case 127: - return true; - case 172: - return bytes[1] < 32 && bytes[1] >= 16; - case 192: - return bytes[1] == 168; - default: - return false; + return true; } + + if (ipAddress.AddressFamily == AddressFamily.InterNetwork) + { + byte[] bytes = ipAddress.GetAddressBytes(); + switch (bytes[0]) + { + case 10: + case 127: + return true; + case 172: + return bytes[1] < 32 && bytes[1] >= 16; + case 192: + return bytes[1] == 168; + default: + return false; + } + } + + return false; } } } diff --git a/src/NzbDrone.Core/Security/X509CertificateValidationService.cs b/src/NzbDrone.Core/Security/X509CertificateValidationService.cs index c1ceeb3ec..450f4ceaf 100644 --- a/src/NzbDrone.Core/Security/X509CertificateValidationService.cs +++ b/src/NzbDrone.Core/Security/X509CertificateValidationService.cs @@ -50,7 +50,7 @@ namespace NzbDrone.Core.Security } if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses && - ipAddresses.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress())) + ipAddresses.All(i => i.IsLocalAddress())) { return true; } diff --git a/src/Radarr.Http/Authentication/AuthenticationService.cs b/src/Radarr.Http/Authentication/AuthenticationService.cs index cb5c5e844..a07988222 100644 --- a/src/Radarr.Http/Authentication/AuthenticationService.cs +++ b/src/Radarr.Http/Authentication/AuthenticationService.cs @@ -1,5 +1,6 @@ -using System; +using System; using System.Linq; +using System.Net; using System.Security.Claims; using System.Security.Principal; using Nancy; @@ -208,27 +209,70 @@ namespace Radarr.Http.Authentication public void LogUnauthorized(NancyContext context) { - _authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", context.Request.UserHostAddress, context.Request.Url.ToString()); + _authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", GetRemoteIP(context), context.Request.Url.ToString()); } private void LogInvalidated(NancyContext context) { - _authLogger.Info("Auth-Invalidated ip {0}", context.Request.UserHostAddress); + _authLogger.Info("Auth-Invalidated ip {0}", GetRemoteIP(context)); } private void LogFailure(NancyContext context, string username) { - _authLogger.Warn("Auth-Failure ip {0} username '{1}'", context.Request.UserHostAddress, username); + _authLogger.Warn("Auth-Failure ip {0} username '{1}'", GetRemoteIP(context), username); } private void LogSuccess(NancyContext context, string username) { - _authLogger.Info("Auth-Success ip {0} username '{1}'", context.Request.UserHostAddress, username); + _authLogger.Info("Auth-Success ip {0} username '{1}'", GetRemoteIP(context), username); } private void LogLogout(NancyContext context, string username) { - _authLogger.Info("Auth-Logout ip {0} username '{1}'", context.Request.UserHostAddress, username); + _authLogger.Info("Auth-Logout ip {0} username '{1}'", GetRemoteIP(context), username); + } + + private string GetRemoteIP(NancyContext context) + { + if (context == null || context.Request == null) + { + return "Unknown"; + } + + var remoteAddress = context.Request.UserHostAddress; + IPAddress remoteIP; + + // Only check if forwarded by a local network reverse proxy + if (IPAddress.TryParse(remoteAddress, out remoteIP) && remoteIP.IsLocalAddress()) + { + var realIPHeader = context.Request.Headers["X-Real-IP"]; + if (realIPHeader.Any()) + { + return realIPHeader.First().ToString(); + } + + var forwardedForHeader = context.Request.Headers["X-Forwarded-For"]; + if (forwardedForHeader.Any()) + { + // Get the first address that was forwarded by a local IP to prevent remote clients faking another proxy + foreach (var forwardedForAddress in forwardedForHeader.SelectMany(v => v.Split(',')).Select(v => v.Trim()).Reverse()) + { + if (!IPAddress.TryParse(forwardedForAddress, out remoteIP)) + { + return remoteAddress; + } + + if (!remoteIP.IsLocalAddress()) + { + return forwardedForAddress; + } + + remoteAddress = forwardedForAddress; + } + } + } + + return remoteAddress; } } }