Autor Thema: ReverseProxy über nginx: Bekomme keine "Real-IP"  (Gelesen 167 mal)

Offline OiledAmoeba

  • Full Member
  • ***
  • Beiträge: 144
ReverseProxy über nginx: Bekomme keine "Real-IP"
« am: 29 Mai 2019, 17:45:04 »
Moin,

daheim rufe ich FHEM eigentlich immer über die IPv4 auf. Ab und an ging von der Arbeit aus der Zugriff auf FHEM nicht. Jetzt habe ich mir die Logs angesehen uns stelle fest:Login denied for user >jesus< via WEBnginx_<IP_des_nginxProxy>_43331WEBnginx ist eine FHEMWEB-Instanz, die nur für den Proxy da ist, die "normale" Instanz ist nicht von außen zu erreichen. Also hat Fail2Ban da fleißig die IP des Proxy gebannt, anstelle der echten IP.
Nun, grundsätzlich nicht schlimm, so sperrt er auch Angriffe aus. Blöd nur, wenn ich während eines Angriffs ebenfalls von außerhalb zugreifen will.

Liest FHEM die Forwarded-Header nicht aus? Oder habe ich einen Fehler in der Konfig?

Hier die nginx fhem.conf:
map $remote_addr $proxy_forwarded_elem {
    # IPv4 addresses can be sent as-is
    ~^[0-9.]+$                    "for=$remote_addr";

    # IPv6 addresses need to be bracketed and quoted
    ~^[0-9A-Fa-f:.]+$             "for=\"[$remote_addr]\"";

    # Unix domain socket names cannot be represented in RFC 7239 syntax
    default                       "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
    # If the incoming Forwarded header is syntactically valid, append to it
    "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";

    # Otherwise, replace it
    default  "$proxy_forwarded_elem";
}
map $http_upgrade $connection_upgrade {
    default                       upgrade;
    ''                            close;
}
map $http_user_agent $ua_device {
    default 'desktop';
    ~*(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ ce|xda|xiino/i 'mobile';
    ~*android|ipad|playbook|silk/i 'tablet';
}
upstream websocket_desktop {
    server                        <IP_des_FHEM-Rechners>:8000;
}
upstream websocket_mobile {
    server                        <IP_des_FHEM-Rechners>:8001;
}
upstream websocket_tablet {
    server                        <IP_des_FHEM-Rechners>:8085;
}
map $ua_device $websocket {
    default                       'websocket_desktop';
    desktop                       'websocket_desktop';
    mobile                        'websocket_mobile';
    tablet                        'websocket_tablet';
}
server {
    listen                        [::]:443 ssl http2;
    server_name                   fhem.domain.tld;
    ssl_certificate               /usr/local/etc/letsencrypt/live/fhem.domain.tld/fullchain.pem;
    ssl_certificate_key           /usr/local/etc/letsencrypt/live/fhem.domain.tld/privkey.pem;
    ssl_trusted_certificate       /usr/local/etc/letsencrypt/live/fhem.domain.tld/chain.pem;
    ssl_session_cache             shared:fhem:1m;
    location /fhem {
        add_header                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header                X-Frame-Options SAMEORIGIN;
        include                   conf.d/http/uriport.headers.without.CSP;
        proxy_pass                http://$websocket;
        proxy_http_version        1.1;
        proxy_set_header          Upgrade $http_upgrade;
        proxy_set_header          Connection $connection_upgrade;
        proxy_set_header          Host $host;
        proxy_set_header          X-Real-IP $remote_addr;
        proxy_set_header          Forwarded $proxy_add_forwarded;
        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header          X-Forwarded-Proto $scheme;
        proxy_buffering           off;
        proxy_connect_timeout     600;
        proxy_send_timeout        600;
        proxy_read_timeout        600;
        send_timeout              600;
    }
}
server {
    listen                        [::]:80;
    server_name                   fhem.domain.tld;
    location / {
        return                    301 https://$server_name$request_uri;
    }
    location ^~ /.well-known/acme-challenge/ {
        default_type              "text/plain";
        root                      /usr/local/www/letsencrypt;
    }
    location = /.well-known/acme-challenge/ {
        return                    404;
    }
}

Hier die FHEMWEB-Definition:
defmod WEBnginx FHEMWEB 8000 <IPv4_des_FHEM-Rechners>
attr WEBnginx CORS 0
attr WEBnginx DbLogExclude .*
attr WEBnginx JavaScripts codemirror/fhem_codemirror.js
attr WEBnginx SVGcache 1
attr WEBnginx allowedHttpMethods GET|POST|HEAD
attr WEBnginx closeConn 0
attr WEBnginx csrfToken random
attr WEBnginx csrfTokenHTTPHeader 1
attr WEBnginx devStateIcon Initialized:10px-kreis-gelb Connected:10px-kreis-gruen disabled:10px-kreis-rot
attr WEBnginx endPlotNow 1
attr WEBnginx group Zugriff
attr WEBnginx longpoll websocket
attr WEBnginx longpollSVG 1
attr WEBnginx menuEntries DOIFtools,/fhem?detail=DOIFtools,CodeImport,/fhem?detail=Import#
attr WEBnginx plotEmbed 1
attr WEBnginx plotfork 1
attr WEBnginx plotmode SVG
attr WEBnginx reverseLogs 0
attr WEBnginx room System->Alles
attr WEBnginx styleData {\
 "f18": {\
  "Pinned.menu": "true",\
  "cols.bg": "444444",\
  "cols.fg": "CCCCCC",\
  "cols.link": "FF9900",\
  "cols.evenrow": "333333",\
  "cols.oddrow": "111111",\
  "cols.header": "222222",\
  "cols.menu": "111111",\
  "cols.sel": "333333",\
  "cols.inpBack": "444444",\
  "savePinChanges": true,\
  "Pinned.detail.Internals": true,\
  "Pinned.Room.all.grp.CUL_HM": false,\
  "Pinned.Room.all.grp.Calendar": true,\
  "Pinned.Room.Unsorted.grp.CUL_HM": true\
 }\
}
attr WEBnginx stylesheetPrefix f18
« Letzte Änderung: 29 Mai 2019, 18:14:00 von OiledAmoeba »
Gruß
Florian

Jail auf XigmaNAS (freeBSD); CCU2 mit CULv3, nanoCUL868 und JeeLink-Clone; div. FS20-Komponenten; andFHEM; div. hm- und hmip-Komponenten; div. IT+