osmand over haproxy

homa3 years ago

Hi!
I try to use haproxy for osmand clients session, but traccar doesn't show real client IP.
I use next configuration:

global
  log      /dev/log   local0
  chroot   /var/lib/haproxy
  user     haproxy
  group    haproxy
  maxconn  10000
  daemon
 
# Default SSL cerificate location
  ca-base  /docker/ssl/certs
  crt-base /docker/ssl/private
 
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  tune.ssl.default-dh-param 2048
  tune.ssl.cachesize 1000000
  tune.bufsize 32768
  tune.h2.header-table-size 8192
  tune.comp.maxlevel 2
 
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option  http-server-close
        option  redispatch
        option  tcp-smart-accept
        option  tcp-smart-connect
        retries 3
        timeout queue           30s
        timeout connect         1s
        timeout client          60s
        timeout server          60s
        timeout http-request    10s
        timeout http-keep-alive 10s
 
frontend http_geo
  mode http
  bind :45055 ssl crt /docker/ssl/work alpn h2,http/1.1
  option http-server-close
  option forwardfor except 127.0.0.0/8
  http-request add-header X-CLIENT-IP %[src]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
 
  acl is_root path -i /
 
  acl geo hdr_dom(host) -i geo.mydomain.com
 
  http-response set-header X-Content-Type-Options nosniff
  http-response set-header Permissions-Policy "geolocation=(), camera=()"
  http-response set-header Expect-CT "max-age=86400, enforce"
  http-response set-header X-Frame-Options SAMEORIGIN
  http-response set-header X-XSS-Protection "1; mode=block"
 
  http-request redirect scheme https code 301 if !{ ssl_fc }
 
  use_backend geo if geo
 
backend geo
  mode http
  option httpclose
  option forwardfor if-none
  option redispatch
  option http-server-close
  cookie SERVERID insert indirect nocache
  server geo 127.0.0.1:5055 check cookie geo

All another services working with rtue real client IP, but traccar replace it for own local server IP. In haproxy logs I see real ip, in traccar logs it changing to traccar-server ip. If I use haproxy without encryption, traccar also doesn't work correctly. Can you help? How correctly give client IP from haproxy to traccar?

upd: if I use WAF - wrong tracer work is saved

Anton Tananaev3 years ago

Where do you see IP address in Traccar?

homa3 years ago

hmmm, now situation very strange
it's logs
Description text

haproxy logs:

Jan 12 19:47:30 docker1 haproxy[2562442]: 91.193.179.10:57502 [12/Jan/2022:22:47:30.411] http_geo~ geo/geo 0/0/1/6/7 200 54 - - --NI 7/1/0/0/0 0/0 "POST /?id=0ecd10dea32e6eb2×tamp=1642016848&lat=55.9168676&lon=37.4080502&speed=1.1122878132290839&bearing=236.4137420654297&altitude=205.79998779296875&accuracy=16.97599983215332&batt=71.0 HTTP/1.1"

interface, here wrong time, location and all osmand parametrs for this time, but last update is true:
Description text

and traccar hex-message (decoded), here all information is true

POST /?id=0ecd10dea32e6eb2×tamp=1642016813&lat=55.9168766&lon=37.4080713&speed=0.07357482119272649&bearing=261.2191162109375&altitude=205.79998779296875&accuracy=17.534000396728516&batt=71.0 HTTP/1.1
content-type: application/x-www-form-urlencoded
user-agent: Dalvik/2.1.0 (Linux; U; Android 11; Redmi Note 8 Pro Build/RP1A.200720.011)
host: geo.mydomain.ru:45055
accept-encoding: gzip
content-length: 0
x-client-ip: 91.193.179.10
x-forwarded-proto: https
x-forwarded-for: 91.193.179.10
connection: close

hex-respons:

HTTP/1.1 200 OK
content-length: 0
Anton Tananaev3 years ago

Logs print network transport layer information. They are not aware of any higher level protocols, like HTTP.

homa3 years ago

but in hex-message I have all true information... How must be my next step for debug it?

Anton Tananaev3 years ago

Debugging what? As I explained, it is working like this by design.

homa3 years ago

may be I'm badly told.
screen from interface and hex-message it is at the same time information, but device-point in interface don't match position in hex-message. in traccar interface I can make sure the device is online, but all osmand parametrs is wrong (position, battery, etc)

Anton Tananaev3 years ago

That's probably because connection is closed too early.

homa3 years ago

I finded mistake in haproxy. I must use

 option http-keep-alive

for traccar backend, now all osmand parametrs and location is true, but real client ip is wrong(((((
Did I understand correctly that this should not work?

Anton Tananaev3 years ago

Yes, IP won't show.

homa3 years ago

How about feature request for give IP from x-client-ip or x-forwarded-for headers?))) it is true way, users will can encrypt they location information, now it is unsecure in public networks. now it possible, but sometimes real device IP very important information

Anton Tananaev3 years ago

If you can find a clean way for implementing it, feel free to send a pull request.

vmedrano3 years ago

Carrier mask IP address with Nat. Maybe that's your problem.

homa3 years ago

I'm opened feature request https://github.com/traccar/traccar/issues/4794
Thanks!

homa7 months ago

Hi!
I developed a small python script to solve this problem. It is a layer between the osmand-device and the traccar-server. It is passing the real IP address to the realip attribute, the script replaces coordinates for known networks and IP addresses, it's increase the accuracy of positioning in known networks.
The script can be published through any balancer on 80/443 ports
GitHub