mirror of
https://github.com/lidarr/lidarr.git
synced 2025-08-21 05:53:33 -07:00
Log Real IP on Authentication failure in case of a reverse proxy
(cherry picked from commit 686a14cdff63fcffe4fceee1f9a06d0b2dc3e813)
This commit is contained in:
Taloth Saldono
ta264
parent
647978466d
commit
620d005fe3
3 changed files with 73 additions and 18 deletions
|
|
@ -1,5 +1,6 @@
|
||||||
using System;
|
using System;
|
||||||
using System.Linq;
|
using System.Linq;
|
||||||
|
using System.Net;
|
||||||
using System.Security.Claims;
|
using System.Security.Claims;
|
||||||
using System.Security.Principal;
|
using System.Security.Principal;
|
||||||
using Lidarr.Http.Extensions;
|
using Lidarr.Http.Extensions;
|
||||||
|
|
@ -208,27 +209,70 @@ namespace Lidarr.Http.Authentication
|
||||||
|
|
||||||
public void LogUnauthorized(NancyContext context)
|
public void LogUnauthorized(NancyContext context)
|
||||||
{
|
{
|
||||||
_authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", context.Request.UserHostAddress, context.Request.Url.ToString());
|
_authLogger.Info("Auth-Unauthorized ip {0} url '{1}'", GetRemoteIP(context), context.Request.Url.ToString());
|
||||||
}
|
}
|
||||||
|
|
||||||
private void LogInvalidated(NancyContext context)
|
private void LogInvalidated(NancyContext context)
|
||||||
{
|
{
|
||||||
_authLogger.Info("Auth-Invalidated ip {0}", context.Request.UserHostAddress);
|
_authLogger.Info("Auth-Invalidated ip {0}", GetRemoteIP(context));
|
||||||
}
|
}
|
||||||
|
|
||||||
private void LogFailure(NancyContext context, string username)
|
private void LogFailure(NancyContext context, string username)
|
||||||
{
|
{
|
||||||
_authLogger.Warn("Auth-Failure ip {0} username '{1}'", context.Request.UserHostAddress, username);
|
_authLogger.Warn("Auth-Failure ip {0} username '{1}'", GetRemoteIP(context), username);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void LogSuccess(NancyContext context, string username)
|
private void LogSuccess(NancyContext context, string username)
|
||||||
{
|
{
|
||||||
_authLogger.Info("Auth-Success ip {0} username '{1}'", context.Request.UserHostAddress, username);
|
_authLogger.Info("Auth-Success ip {0} username '{1}'", GetRemoteIP(context), username);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void LogLogout(NancyContext context, string username)
|
private void LogLogout(NancyContext context, string username)
|
||||||
{
|
{
|
||||||
_authLogger.Info("Auth-Logout ip {0} username '{1}'", context.Request.UserHostAddress, username);
|
_authLogger.Info("Auth-Logout ip {0} username '{1}'", GetRemoteIP(context), username);
|
||||||
|
}
|
||||||
|
|
||||||
|
private string GetRemoteIP(NancyContext context)
|
||||||
|
{
|
||||||
|
if (context == null || context.Request == null)
|
||||||
|
{
|
||||||
|
return "Unknown";
|
||||||
|
}
|
||||||
|
|
||||||
|
var remoteAddress = context.Request.UserHostAddress;
|
||||||
|
IPAddress remoteIP;
|
||||||
|
|
||||||
|
// Only check if forwarded by a local network reverse proxy
|
||||||
|
if (IPAddress.TryParse(remoteAddress, out remoteIP) && remoteIP.IsLocalAddress())
|
||||||
|
{
|
||||||
|
var realIPHeader = context.Request.Headers["X-Real-IP"];
|
||||||
|
if (realIPHeader.Any())
|
||||||
|
{
|
||||||
|
return realIPHeader.First().ToString();
|
||||||
|
}
|
||||||
|
|
||||||
|
var forwardedForHeader = context.Request.Headers["X-Forwarded-For"];
|
||||||
|
if (forwardedForHeader.Any())
|
||||||
|
{
|
||||||
|
// Get the first address that was forwarded by a local IP to prevent remote clients faking another proxy
|
||||||
|
foreach (var forwardedForAddress in forwardedForHeader.SelectMany(v => v.Split(',')).Select(v => v.Trim()).Reverse())
|
||||||
|
{
|
||||||
|
if (!IPAddress.TryParse(forwardedForAddress, out remoteIP))
|
||||||
|
{
|
||||||
|
return remoteAddress;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!remoteIP.IsLocalAddress())
|
||||||
|
{
|
||||||
|
return forwardedForAddress;
|
||||||
|
}
|
||||||
|
|
||||||
|
remoteAddress = forwardedForAddress;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return remoteAddress;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,5 @@
|
||||||
using System.Net;
|
using System.Net;
|
||||||
|
using System.Net.Sockets;
|
||||||
|
|
||||||
namespace NzbDrone.Common.Extensions
|
namespace NzbDrone.Common.Extensions
|
||||||
{
|
{
|
||||||
|
|
@ -6,11 +7,18 @@ namespace NzbDrone.Common.Extensions
|
||||||
{
|
{
|
||||||
public static bool IsLocalAddress(this IPAddress ipAddress)
|
public static bool IsLocalAddress(this IPAddress ipAddress)
|
||||||
{
|
{
|
||||||
if (ipAddress.ToString() == "::1")
|
if (ipAddress.IsIPv6LinkLocal)
|
||||||
{
|
{
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (IPAddress.IsLoopback(ipAddress))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ipAddress.AddressFamily == AddressFamily.InterNetwork)
|
||||||
|
{
|
||||||
byte[] bytes = ipAddress.GetAddressBytes();
|
byte[] bytes = ipAddress.GetAddressBytes();
|
||||||
switch (bytes[0])
|
switch (bytes[0])
|
||||||
{
|
{
|
||||||
|
|
@ -25,5 +33,8 @@ namespace NzbDrone.Common.Extensions
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -50,7 +50,7 @@ namespace NzbDrone.Core.Security
|
||||||
}
|
}
|
||||||
|
|
||||||
if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
|
if (certificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
|
||||||
ipAddresses.All(i => i.IsIPv6LinkLocal || i.IsLocalAddress()))
|
ipAddresses.All(i => i.IsLocalAddress()))
|
||||||
{
|
{
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue