That you see a cloudflare address as the IP address in “login attempt” errors just means a hacker is using cloudflare to attempt to break-in into your system.
Went through the HA code and it does something peculiar.
Per definition, a X-Forwarded-For is
X-Forwarded-For: client, proxy1, proxy2
So the originator of the request is always the first IP.
Now, HA goes through the list of proxies in the header, and consider the first one that is not part of trusted_proxies as the originator, and uses that IP in the logs.
Hi all, till now I never adjusted settings to work well with a reverse proxy. I use proxmox and I have a ct with Nginx, registered a duckdns domain. If I try to access to HA using on my pc the duckdns url, a warning says my pc is not allowed in trusted network, so I must login with username and password and it works; if I enter with my local HA ip, in trusted network drop menu I select my user and enter without problem. Remote connection on my phone is working after reinstalling companion app, any advice is welcome, if login with user and password is simpler than configuring trusted network and proxies I can do this way without headaches.
I use Cloudflare with full proxy and encryption and the following worked for me
I used the following list of IP’s from IP Ranges | Cloudflare and then any others added into my log file
I have cloudflare with proxy going to my HAProxy. Set all the cloudflare ranges to trusted…
And that isn’t working, I get the following errors: too many headers for X-Forwarded-For [client_ip, cf_proxy_ip]
Disable proxy on cloudflare and everything works fine. Anybody doing double reverse proxy? How do you get it to work?
Update: Disabled forward-for in HAProxy, re-enable proxy on CF and things are working again. Just not entirely sure if the correct IP is passed through to this stage. Will have to investigate more to continue later in the week.
This means the request has multiple X-Forwarded-For headers, which is wrong.
Assuming one is from cloudflare and another one is from HAProxy, there is something wrong in your HAProxy. It should have added itself to the already existing list of proxies in the existing header rather than creating one of its own.
Are you running Apache2 as a docker container?
Is it running on the same machine, in the same docker network?
If you have static IPs in your network you should only have to add the IP that has your reverse proxy.
If in the same docker network then the network address of that network should work; you can easily see this network if you use Portainer.
No Apache2 is running on Ubuntu, the container is running HA.
So yes, using static IPs…but they didnt work, so i added the network and bingo…I suspect it is an order thing, but that is for a time when I want to risk breaking a system that is now working
If the immediate caller is not in the trusted list, the request is rejected
Beyond that, if the request went through a chain of proxy, the first proxy not in the trusted list is considered as the originating IP.
If you’re using, e.g. cloudflare, that could lead to a cloudflare IP being listed as the caller unless you put every single known cloudflare proxy in your trusted list.
I accept and appreciate that, but it doesn’t work! I had 127.0.0.1 as my sole trusted proxy, and I got the connection refused. An examination of the logs showed the proxy request was from 192.168.0.7, so I added that…still didn’t work.
It was only when I changed the whole thing to 192.168.0.0/24 that it worked…and I am baffled (and a little concerned , since that appears to mean any machine on the network will be a trusted proxy)
I will tinker with it and see if I can get a more elegant way of doing it, but for now…it works
Cheers
No the message was Still 192.168.0.7…and I have no idea why… I am going to have a play this morning… I will start by taking the whole network out & replacing with 192.168.0.7… And I will post the logs if it doesn’t work… I mean… What could possibly go wrong?
and it STILL breaks… But if I comment out 127.0.0.1 then it works… It seems that the order is vital (I think you may have said something to that in a previous post)
TBH this is way above my levels of competence or understanding, BUT i have a working system, and I feel it is more secure by limiting the proxies that access it.
Thanks for your help