Subj : Re: synchronet behind a reverse proxy To : echicken From : martylake Date : Sat Nov 27 2021 00:53:34 > 1) Currently, the websocket service will terminate if the HAPROXY_PROTO > option is set, but the X-Forwarded-For header is absent. It won't connect > somebody to your terminal server if it can't send their "real" IP address. as per http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt ``` The receiver MUST be configured to only receive the protocol described in this specification and MUST not try to guess whether the protocol header is present or not. This means that the protocol explicitly prevents port sharing between public and private access. Otherwise it would open a major security breach by allowing untrusted parties to spoof their connection addresses. The receiver SHOULD ensure proper access filtering so that only trusted proxies are allowed to use this protocol. ``` So I think that > the websocket service terminating if the HAPROXY PROTO option is set and the > X-Forwarded-For header is absent really is the *expected and correct* behavior. Any other workaround such as replacing the client IP with the websocket proxy IP would have undesirable side effects, like having the websocket proxy banned because of multiple login tentatives or script kiddies. > 2) A bit of testing before I merge this: > 2a) If you remove the HAPROXY_PROTO option in sbbs.ini, then restart, do > websocket connections (ftelnet) continue to work? I tested, and it continues to work. > 2b) If you remove the HAPROXY_PROTO option in sbbs.ini, restart, and also > remove the HTTP reverse proxy from the mix (remember to adjust/remove wsp > and wssp in modopts.ini->[web] also) do websocket connections continue to > work? So, instead of connecting at forum.talbot.audio, I connect at localhost:8880 (overriden port for http). Is this equivalent to (remove the HTTP reverse proxy) ? The websocket connection continues to work. > 2c) If you leave HAPROXY_PROTO enabled, but remove the HTTP reverse proxy > from the mix, do websocket connections fail? The websocket connection stops working because the header is absent. As per question 1), I think that the behavior is correct and to be expected. Here is this message I got: 11/27 08:45:04 srvc 0029 WS Error: BBS is using HAProxy, but no X-Forwarded-For header present. --- SBBSecho 3.14-Linux * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .