feat(events): add information on X-Forwarded-For header #907
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rasa
approved these changes
Apr 11, 2025
calmh
added a commit
to syncthing/syncthing
that referenced
this pull request
Apr 23, 2025
### Purpose Fix #9336 The `emitLoginAttempt` function now checks for the presence of an `X-Forwarded-For` header. The IP from this header is only used if the connecting host is either on loopback or on the same LAN. In the case of a host pretending to be a proxy, we'd still have both IPs in the logs, which should make this much less critical from a security standpoint. ### Testing 1. directly via localhost 2. via proxy an localhost #### Logs ``` [3JPXJ] 2025/04/11 15:00:40 INFO: Wrong credentials supplied during API authorization from 127.0.0.1 [3JPXJ] 2025/04/11 15:03:04 INFO: Wrong credentials supplied during API authorization from 192.168.178.5 proxied by 127.0.0.1 ``` #### Event API ``` { "id": 23, "globalID": 23, "time": "2025-04-11T15:00:40.578577402+02:00", "type": "LoginAttempt", "data": { "remoteAddress": "127.0.0.1", "success": false, "username": "sdfsd" } }, { "id": 24, "globalID": 24, "time": "2025-04-11T15:03:04.423403976+02:00", "type": "LoginAttempt", "data": { "proxy": "127.0.0.1", "remoteAddress": "192.168.178.5", "success": false, "username": "sdfsd" } } ``` ### Documentation syncthing/docs#907 --------- Co-authored-by: Jakob Borg <jakob@kastelo.net>
|
@calmh can we merge here as the changes are already live with v1.29.6? |
|
Of course. Y'all don't need to gate everything on me. |
|
I'd merge if I could 😅 #904 and this PR are both blocked by policy-bot despite having an approval as far as I can see. |
tomasz1986
changed the title
calmh
added a commit
that referenced
this pull request
May 27, 2025
* main: (28 commits) chore(config): document options for audit logs (#916) chore(advanced): clarify multiple connections over relays (#911) fix(specs): state that both A and B are in session mode (fixes #802) (#908) build(deps): bump golang.org/x/crypto from 0.31.0 to 0.35.0 in /_script (#910) Update author list fix(config): update default value of `maxConflicts` (#929) fix(profiling): sentence clarity (#928) feat(faq): add note with example about what can be synced (#922) chore(bep): update for TLS 1.3 (#924) feat(events): add information on X-Forwarded-For header (#907) chore(config): mention STUN SRV record (#904) Update author list fix(relay): document RelayFull message (fixes #880) (#909) feat(tuning): add section for LAN-only (fixes #834) (#915) fix(faq): update location of paths tab (#917) Update author list feat(faq): add information on setting network to private in Windows (#914) chore: remove option for enabling old TLS versions on sync connections (#913) chore(contrib): add sm2 and move munin-syncthing to unmaintained (#912) Update author list ...
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe the event structure if a reverse proxy is involved.