Prestashop: X-Forwarded-For not supported properly

Created on 27 Mar 2019  路  11Comments  路  Source: PrestaShop/PrestaShop

Describe the bug
Given an installation of PrestaShop behind a reverse proxy / load balancer, I am seeing the following issues:

  • When a user comes to the front office, the client IP is incorrectly evaluated as the IP address of the proxy/load balancer, and it ignores the X-Forwarded-For headers. This makes the "Visitors online" screen incorrect. (and likely other things)

  • Maintenance Mode also ignores X-Forwarded-For headers. You can enable the Maintenance Mode, but you will not be able to add a IP address that will be able to see the front office. I am assuming it evaluates all client addresses as the load balancer / proxy IP address. So if you put in the load balancer IP address, you will be able to see the front office, but the public will be able to as well.

  • When you click on the "Add My IP" button on the maintenance page, it ignores the X-Forwarded-For headers and uses the IP address of the proxy / load balancer IP address instead.

To Reproduce
see description.

Screenshots
n/a

Additionnal information
PrestaShop version: 1.7.1.5
PHP version: 7.2

  • Changing the Tools.php's getRemoteAddr has no impact on any of the above issues.
  • We are using the prestashop/prestashop:1.7-7.2-apache
  • We put it behind a Nginx reverse proxy, like all the rest of our software, so that we are able to utilize the jwilder/docker-gen & jrcs/letsencrypt-nginx-proxy-companion docker images to enable SSL.
Bug Fixed Maintenance Performance Shop parameters
Source
picture ryandanthony
👍3

Most helpful comment

Just a warning

https://github.com/PrestaShop/PrestaShop/blob/develop/classes/Tools.php#L390
RFC 1918 B is 172.16.0.0/12 and prestaShop matches only 172.16/16 which is incorrect 馃槃

Excerpt from https://tools.ietf.org/html/rfc1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

BUT cloudflare for instance sends public IP, so therefore there should by "whitelist" of public IPs, if you want to make it more secure, not locked to RFC 1918 subnets.

picture snovak7 on 21 Feb 2020
2

All 11 comments

Hi @ryandanthony,

Thank you for your report.
We'll first try to reproduce it and we'll come back to you if we need more information.

khouloudbelguith picture khouloudbelguith on 27 Mar 2019

I finally had a few minutes to put together a git repo that replicates the environment using docker.
https://github.com/ryandanthony/prestashop-proxy-issue

ryandanthony picture ryandanthony on 27 Mar 2019

Hi @ryandanthony,

Your link is not accessible, it provides me an error 404.
Thanks for checking it

khouloudbelguith picture khouloudbelguith on 28 Mar 2019
👍1

@khouloudbelguith
Sorry about that, I forgot to make it public.

ryandanthony picture ryandanthony on 28 Mar 2019

Hi @khouloudbelguith were you able to get access to that link?

ryandanthony picture ryandanthony on 3 Apr 2019

Hi @ryandanthony,

Yes, we'll first try to reproduce it and we'll come back to you if we need more information.

khouloudbelguith picture khouloudbelguith on 4 Apr 2019

Hi @ryandanthony,

I manage to reproduce the issue.
I noticed that the proxy only appears after the installation and restart of the container.
I also noticed that "IP Maintenance" takes the @ of the load balancer, but it does not work with the @
of the load balancer.

khouloudbelguith picture khouloudbelguith on 5 Apr 2019

@PrestaShop/prestashop-core-developers wdyt ?

marionf picture marionf on 9 Apr 2019

Just a warning

https://github.com/PrestaShop/PrestaShop/blob/develop/classes/Tools.php#L390
RFC 1918 B is 172.16.0.0/12 and prestaShop matches only 172.16/16 which is incorrect 馃槃

Excerpt from https://tools.ietf.org/html/rfc1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

BUT cloudflare for instance sends public IP, so therefore there should by "whitelist" of public IPs, if you want to make it more secure, not locked to RFC 1918 subnets.

snovak7 picture snovak7 on 21 Feb 2020
2

Just a warning

https://github.com/PrestaShop/PrestaShop/blob/develop/classes/Tools.php#L390
RFC 1918 B is 172.16.0.0/12 and prestaShop matches only 172.16/16 which is incorrect 馃槃

Excerpt from https://tools.ietf.org/html/rfc1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

BUT cloudflare for instance sends public IP, so therefore there should by "whitelist" of public IPs, if you want to make it more secure, not locked to RFC 1918 subnets.

Thanks for the tip !

matks picture matks on 21 Feb 2020

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private internets:

 10.0.0.0        -   10.255.255.255  (10/8 prefix)
 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

My reverse proxy has the IP 172.19.0.2, and fails because preg_match('/^172\.16.*/i', trim($_SERVER['REMOTE_ADDR'])) does not check the specified range. (172.16/12 prefix) vs (current 172.16/16 prefix)

davidglezz picture davidglezz on 22 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

matks picture matks  路  3Comments
Van-peterson picture Van-peterson  路  3Comments
hiousi picture hiousi  路  3Comments
rGaillard picture rGaillard  路  3Comments
prestonBot picture prestonBot  路  3Comments