X-Forwarded-For HTTP Header isn't used about firewall HOT 7 OPEN

@davidglassborow It worked, thank you very much for the assistance

from firewall.

Proposing PR #12 for this issue.

from firewall.

@nickntg Do you know of a temporary workaround for this while we wait for the fix to be merged?

from firewall.

The RemoteIpAddress should be set automatically by the corresponding ASP.NET Core middleware if you have configured it correctly. Obviously you must plug the forwarded for middleware before the firewall middleware for it to be picked up by the firewall as well. If the RemoteIpAddress is not set correctly then the forwarded for middleware is misconfigured. I don't think there is a bug in the firewall here. Maybe show me some code of your middlewares and I can help diagnose the issue.

from firewall.

A common error I see if that the Forwarded header middleware only trusts localhost proxies by default. The RemoteIpAddress etc will not be set if the proxy if not running on locahost. See https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-8.0.

The following shows how to bypass that for testing, for prod you should specify the proxy - see example

       // Sort out headers so works in front of a proxy
        var config = new ForwardedHeadersOptions()
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto,
            ForwardLimit = 100
        };
        // https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-8.0
        // By default the code only trusts localhost proxies, which doesn't help us in Docker or K8s.
        config.KnownProxies.Clear();
        config.KnownNetworks.Clear(); ;
        app.UseForwardedHeaders(config);

from firewall.

The RemoteIpAddress should be set automatically by the corresponding ASP.NET Core middleware if you have configured it correctly. Obviously you must plug the forwarded for middleware before the firewall middleware for it to be picked up by the firewall as well. If the RemoteIpAddress is not set correctly then the forwarded for middleware is misconfigured. I don't think there is a bug in the firewall here. Maybe show me some code of your middlewares and I can help diagnose the issue.

So with this, I have added the configuration as it is highlighted in the docs, see the screenshot below (we are using this along with Yarp), and it seems to work on my local machine but does not map the remote IP address correctly in our Kubernetes environment where the traffic is controlled using an nginx controller that plays a load balancer role, it keeps the Nginx pod's IP address as the remote IP address.

This is just a snippet of where the firewall is configured with some debug logs when the access denied delegate is triggered.

Could the problem be the fact that I am configuring the firewall on the Yarp pipeline?

from firewall.

The RemoteIpAddress should be set automatically by the corresponding ASP.NET Core middleware if you have configured it correctly. Obviously you must plug the forwarded for middleware before the firewall middleware for it to be picked up by the firewall as well. If the RemoteIpAddress is not set correctly then the forwarded for middleware is misconfigured. I don't think there is a bug in the firewall here. Maybe show me some code of your middlewares and I can help diagnose the issue.

So with this, I have added the configuration as it is highlighted in the docs, see the screenshot below (we are using this along with Yarp), and it seems to work on my local machine but does not map the remote IP address correctly in our Kubernetes environment where the traffic is controlled using an nginx controller that plays a load balancer role, it keeps the Nginx pod's IP address as the remote IP address.

This is just a snippet of where the firewall is configured with some debug logs when the access denied delegate is triggered.

Could the problem be the fact that I am configuring the firewall on the Yarp pipeline?

Read my comment - you need to either clear the KnownProxies, or add your K8 ingress as a KnownProxy.

from firewall.