View Issue Details

IDProjectCategoryView StatusLast Update
0006275unrealircdpublic2023-06-13 20:26
Reporteradamus1red Assigned Tosyzop  
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version6.1.0 
Fixed in Version6.1.1-rc1 
Summary0006275: Add support for x-forward-for & forwarded headers in webserver module
DescriptionThe X-Forwarded-For header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy.

It is commonly used by CDN and reverse-proxying. This would allow using a normal webserver for proxying websocket connections rather than having to dedicate http/https ports for a single IRCd websocket.
TagsNo tags attached.
3rd party modules

Activities

syzop

2023-05-19 19:55

administrator   ~0022864

Last edited: 2023-05-19 19:55

k4be added support for the "Forwarded" header in the websocket module in Aug 2021. It's not well documented and I don't think there are many people using it so I can't vouch on how well it works, maybe k4be uses it himself on his net ?
It does not implement "X-Forwarded-For" or "Forwarded-for" headers though, so that would be a TODO item. Of course, if the other feature is working then this one should be easy (?) to implement.

syzop

2023-05-19 19:59

administrator   ~0022865

Last edited: 2023-05-19 20:00

Oh you say "Forwarded" in your bug title, yeah that should work. You must specify the IP of the proxy in listen::options::websocket::forward.
Here is an example (untested, see previous comments):

listen {
    ip *;
    port 8000;
    options {
        tls;
        websocket {
                type text;
                forward "127.0.0.1"; // IP of the proxy
        }
    }
    tls-options {
        certificate "/etc/letsencrypt/live/irc.example.org/fullchain.pem";
        key "/etc/letsencrypt/live/irc.example.org/privkey.pem";
        options {
            no-client-certificate;
        }
    }
}

adamus1red

2023-05-19 23:12

reporter   ~0022867

I've tried using the forward option. It doesn't seem to be working as expected.
After attempting to put the websocket behind a forwarding proxy I still get 127.0.0.1 reported as the source IP when a client connects via the websocket.
image.png (35,293 bytes)

syzop

2023-05-26 14:30

administrator   ~0022885

I did a couple of commits in latest git. Feel free to test it out. I verified that it works with the "Forwarded" header and have documented an example NGINX setup (although obviously you don't need to use NGINX).
Documentation is at https://www.unrealircd.org/docs/Proxy_block including that example.

For more information on using latest git, see https://www.unrealircd.org/docs/FAQ#How_do_I_get_the_latest_source_code.3F

Issue History

Date Modified Username Field Change
2023-05-19 19:44 adamus1red New Issue
2023-05-19 19:55 syzop Note Added: 0022864
2023-05-19 19:55 syzop Note Edited: 0022864
2023-05-19 19:59 syzop Note Added: 0022865
2023-05-19 20:00 syzop Note Edited: 0022865
2023-05-19 23:12 adamus1red Note Added: 0022867
2023-05-19 23:12 adamus1red File Added: image.png
2023-05-26 14:30 syzop Note Added: 0022885
2023-05-27 17:32 syzop Assigned To => syzop
2023-05-27 17:32 syzop Status new => feedback
2023-06-13 20:26 syzop Status feedback => resolved
2023-06-13 20:26 syzop Resolution open => fixed
2023-06-13 20:26 syzop Fixed in Version => 6.1.1-rc1