Wrong parsing of chained Proxy

**Elasticsearch version: 7.17.12

**Server OS version: Rocky Linux release 8.8 (Green Obsidian)

**Kibana version (if relevant): 7.17.12

**Describe the issue:
SG is unable to parse chained proxy

**Steps to reproduce: Put an Apache server in front of a kibana server

**Expected behavior: No error message

Provide configuration:
The relevant section:

  trusted_proxies: "10.x.x.x"
    remote_ip_header: "x-forwarded-for"

I see in Elastic logs:
org.elasticsearch.index.mapper.MapperParsingException: failed to parse field [audit_rest_request_headers.x-forwarded-for] of type [ip] in document with id '40cSRooBAzpFVtZfD7e1'. Preview of field's value: '10.y.y.y,'

The first one (10.y.y.y) is the real one, the second is added by Apache, because it’s configured to use a proxy:

    <Proxy balancer://kibana>
        BalancerMember http://localhost:5601 responsefieldsize=65535
        BalancerMember http://localhost:5602 responsefieldsize=65535
        ProxySet lbmethod=bytraffic

A sequence of IP in x-forwarded-for is an expected behaviour, SG should not fails on it.

@fbacchella I think this is because your Apache is terminating the TLS connection. That would change the value in x-forwarder-for.

I know, it’s expected: X-Forwarded-For - HTTP | MDN. So it should not be a problem for SearchGuard, it throws a useless exception (and exception are not cheap in Java)

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Some more questions:

  • Are you using audit logging?
  • If yes, are you logging to the local ES cluster, to a remote ES cluster or to somewhere else?
  • Can you please post the whole stack trace of the exception you are getting?

You can close the topic. The problem was on my side.

1 Like