passbolt_docker icon indicating copy to clipboard operation
passbolt_docker copied to clipboard
verified publisher icon passbolt

How to get real IP in logs instead of bridge IP?

Open vshuraeff opened this issue 9 months ago • 5 comments

When installed in docker and behind some reverse proxy like nginx, container logs does not show real client IP address even if passing right headers from proxy.

server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;

    server_name {{ service_domains.passbolt.primary.fqdn }};
    ssl_certificate /etc/ssl/private/{{ service_domains.passbolt.primary.domain }}/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/{{ service_domains.passbolt.primary.domain }}/private.key;

    location / {
        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://localhost:8000/;
    }
}

docker logs --tail 10 passbolt

172.17.0.1 - - [12/Apr/2025:16:10:57 +0000] "GET /auth/is-authenticated.json HTTP/1.0" 401 255 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
2025-04-12 16:10:57,476 INFO reaped unknown pid 397 (exit status 0)
2025-04-12 16:10:57,477 INFO reaped unknown pid 399 (exit status 0)
172.17.0.1 - - [12/Apr/2025:16:11:43 +0000] "GET /auth/is-authenticated.json HTTP/1.0" 401 255 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0"
2025-04-12 16:11:43,816 INFO reaped unknown pid 420 (exit status 0)
2025-04-12 16:11:43,816 INFO reaped unknown pid 422 (exit status 0)
172.17.0.1 - - [12/Apr/2025:16:11:56 +0000] "GET /auth/is-authenticated.json HTTP/1.0" 401 255 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"

so, I want to see real client IPs in logs, not bridge IPs.

vshuraeff avatar Apr 12 '25 18:04 vshuraeff

Hi, Have you tried to set PASSBOLT_SECURITY_PROXIES_ACTIVE env var? https://github.com/passbolt/passbolt_api/blob/master/config/default.php#L363

dlen avatar Apr 12 '25 18:04 dlen

ty for info. I've set env PASSBOLT_SECURITY_PROXIES_ACTIVE=1 but it's won't work. Still bridge IP logged.

Image 
'proxies' => [
                'active' => filter_var(env('PASSBOLT_SECURITY_PROXIES_ACTIVE', false), FILTER_VALIDATE_BOOLEAN),
                // If your instance is behind multiple proxies, redefine the list of IP addresses of proxies in your control in passbolt.php
                'trustedProxies' => [],
            ],
  1. what section in passbolt.php I should use to define proxies with 'trustedProxies' setting?
  2. how I should define localhost proxy and keep this setting after settings update?

May be I should map passbolt.default.php to container as passbolt.php and set this settings there?

vshuraeff avatar Apr 12 '25 18:04 vshuraeff

I am having the same issue and recall having to mount my own passbolt.php when passbolt first started.

I was hoping something like this would be available, but it isn't,

PASSBOLT_SECURITY_PROXIES_TRUSTED_PROXIES = [ "127.0.0.1","etc" ]

Is there a way of directly changing these proxies from env variables @dlen

Thanks in advance :)

mannp avatar Aug 13 '25 09:08 mannp

Hey @mannp, long time no see!

At the moment we don't support such configuration through env vars. I'll forward your request to the backend team so they can provide a path to configure the trusted proxies through an env var.

Thanks for the feedback!

dlen avatar Aug 13 '25 09:08 dlen

Hey @mannp, long time no see!

At the moment we don't support such configuration through env vars. I'll forward your request to the backend team so they can provide a path to configure the trusted proxies through an env var.

Thanks for the feedback!

Hi @dlen it's been a while for sure :)

Congrats to you and the team on the progress :)

I am not sure what PASSBOLT_SECURITY_PROXIES_ACTIVE does really, as trusted proxies is empty by default 'trustedProxies' => [], so if you cannot set that, it's not doing anything.

mannp avatar Aug 13 '25 09:08 mannp

Hi,

I completely forgot to update this thread but as part of passbolt 5.6.0 users should now be able to define the trusted proxies array using an environment variable. Let us know if this fixes this issue.

dlen avatar Dec 18 '25 09:12 dlen

Hi,

using image: passbolt/passbolt:5.7.2-1-ce I added

PASSBOLT_SECURITY_PROXIES_ACTIVE=true
PASSBOLT_TRUSTED_PROXIES=x.x.x.x

in .env for my compose.yaml and after a restart I still see

passbolt-1 | 2025/12/18 14:07:23 [info] 117#117: *19 client x.x.x.x closed keepalive connection

but also a new log appears

passbolt-1 | 2025-12-18 14:05:03,267 INFO reaped unknown pid 577 (exit status 0)

I wasn't able to find any info on this in docs or elsewhere other than what's in 5.6.0

Xeudoron avatar Dec 18 '25 13:12 Xeudoron