Detect ip address visitor php scripts

Nickske00

Hi,

After migrating everything over to enhance I noticed the visitor ip detected is one from the docker network? (eg: 199.99.88.1). I dumped all $_SERVER variables in php, but I can't find my own ip in them.

Do I need to change a setting somewhere to get the ip addresses in php scripts?

xyzulu

You can use php at the time of the visit to read X-Forwarded-For as that will contain the "real" IP address. This value doesn't appear in the logs however.

GoSuccess

You are not the only one with this problem. Your domains probably have an IPv6 record?

@Adam says:

"[...] it's because the ipv6 addresses are routed via the Docker proxy rather than NAT [...]"

This should be fixed with an update in the future. According to Adam, a workaround would be the following (test at your own risk):

docker ps -a | grep -v CONTAINER | awk '{print $1}' | xargs -i docker network disconnect enhance-network {}
docker network rm enhance-network
docker network create --ipv6 enhance-network --subnet fd76:cd8e:5f::/48 --subnet 199.99.88.0/23
docker ps -a | grep -v CONTAINER | awk '{print $1}' | xargs -i docker network connect enhance-network {}
systemctl restart docker

In /etc/docker/daemon.json add:

{
"experimental": true,
"ip6tables": true
}

I haven't had a chance to test it myself yet. So I can't say whether the workaround works.

My customers and I had the problem that the security plugin Solid Security was constantly blocking the container IPs and thus the websites were no longer accessible to anyone. After Adam's tip, we then whitelisted the container IPs 199.99.88.0/23 in the plugin settings. It's not a satisfying solution, but it works for now.

I'm also testing cPGuard on some servers at the moment and I keep seeing the container IP 199.99.88.1 in the WAF logs.

Adam

Yes, as above, it's because ipv6 requests reach the web server using Docker's proxy rather than NAT. This will be addressed in an upcoming update where responsibility for the Docker network is moved from controld to appcd. In the meantime the solution @GoSuccess posted will fix it for you.

Nickske00

Ow ok, yeah, they have ipv6. I have supported this for years, so it would be weird to just drop ipv6 support now...

Adam Do I need to run this on every server in the cluster? This won't mess up the future update when you guys fix this 'for real'?

GoSuccess

Update:

I just tried it and it works. The IPs are now detected correctly.

But it didn't work for me straight away. Docker had to be restarted a second time. After that it worked perfectly. (Thanks again to @Adam for the super fast help!)

SharedGrid

Nickske00 Probably just servers where being able to see the client IPv6 address is important to you.

I've just implemented the Docker network change and all worked as expected.

elk

@Adam is this still the recommended workaround?

we have the problem, that wordfence locks out users from the docker ip

A user with IP address 199.99.88.1 has been locked out from signing in or using the password recovery form for the following reason: Exceeded the maximum number of login failures which is: 20. The last username they tried to sign in with was: 'admin'. The duration of the lockout is 4 hours. User IP: 199.99.88.1 User hostname: 199.99.88.1 User location: United States

SharedGrid

elk Yes, it still works.

xyzulu

Wordfence (I hate it) has an option, see: https://www.wordfence.com/help/dashboard/options/
(You're looking for the section on X-Forwarded-For)

elk

would you then recommend to use the wordfence option or implement it server side?

if enhance will change this in the future, applying it to wordfence wo require us to change all websites. we use wf central and template, but still sometimes the assignment needs to be done again.