Reverse Proxy: IP and SSL

Hi all,

Several of us recommend the reverse proxy for WE, including Travis (Xojo inc). It’s very simple, very effective, without limitation. it works perfectly with almost all modern web servers, even on Windows.

But in some cases (SSL with third-party libraries: Google maps …), it is necessary that Xojo handle a “X-Forwarded-Proto: https” header, so that communication works perfectly. And this is not the case: the browser displays alerts, the page does not appear, etc.

Details are in this case: (https://xojo.com/issue/34272)>] <https://xojo.com/issue/34272>

I just realized that the IP address (session.remoteAddress) must also be false (I have not tested) because the reverse proxy provides its own IP and protocol to Xojo app. This is why web servers (Apache, Microsoft IIS, nginx, lighttpd, abyss webserver …) and load balancers (Elastic Load Balancing, GeekISP, Rackspace …) provide two headers to Xojo app:

  • X-Forwarded-Proto (value: http or https)
  • X-Forwarded-For (value: IP of real client)

Please, implement these headers.

I just tested for IP: indeed, the Xojo web app can not retrieve the client IP.

Whatever the client, the IP (session.remoteAddress) is always proxy IP,
ie 127.0.0.1 :frowning:

Please Vote (Xojo: Account Login)>]<https://xojo.com/issue/34272>

Olivier - this is a good request, I will give it a vote.

Also, you can use something like this to get the IP if you know the name of the header your proxy adds. Below is what I use with Haproxy + standalone and it works great.

IPaddress = WebSession.Header("X-Forwarded-For")

workarounds from our toolbox:

[code]Function RemoteAddressFinal(Extends sess as WebSession) As String
//X-Forwarded-For seems to be a coma seperated list of addresses adding one remote address on each proxy pass. the first should be the client but that may be a private ip
//X-Real-IP seems to be less commonly used but contain only the remote address of the last proxy pass

Dim result as String
result = sess.Header(“X-Real-IP”)
if result <> “” then return result
result = sess.Header(“X-Forwarded-For”).NthField(", ", 1)
if result <> “” then return result
return sess.RemoteAddress

End Function
[/code]

and

[code]Function SecureFinal(Extends sess as WebSession) As Boolean
//somehow there is also a Session.Header(“HTTPS”)=“on” (see Xojo Doc on WebSession.Header), don’t know how this should be treated

if sess.Header(“X-Forwarded-Proto”) = “” then
return sess.Secure
else
if sess.Header(“X-Forwarded-Proto”) = “https” then
return true
else
return false
end if
end if

End Function
[/code]

Thank you very much John and Tobias! it works well for the IP. I have not yet tried for the https.