[Users] Did anyone have any issue with some balancer in front of Zimbra?

Jim Dunphy jad at aesir.com
Mon May 27 18:15:57 CEST 2019 

If you need something faster, 

I followed this link's advice ... using the set_real_ip_from, real_ip_recursive on and real_ip_header X-Forwarded-For. 

Explained in detail here: 

https://serverfault.com/questions/314574/nginx-real-ip-header-and-x-forwarded-for-seems-wrong 

I tested various spoofing chaining scenarios and it appeared to do the correct thing. I don't use this with zimbra however only our web farms. 

>From my perspective, this is a security bug at least in the 8.7.11+ branch and not a RFE given how trivial it is to spoof a client side header that allows an attacker to hide in the logs. 

w/r 

Jim 

----- On May 27, 2019, at 8:50 AM, Fabio S. Schmidt <fabio at bktech.com.br> wrote: 

> Greetings Brando,

> Thank you for your reply. I've submitted to Zimbra an RFE to support the origin
> IP with this format.

> Best regards.

> Atenciosamente,
> Fabio S. Schmidt

> Diretor técnico

> E-mail: fabio at bktech.com.br
> www.bktech.com.br
> Tel.: +55 (61) 3226-7932

> Cel.: +55 (61) 99116-3941

> De: "Brando Beaumont" <branzo at itaserv.net>
> Para: "Fabio Schmidt" <fabio at bktech.com.br>
> Cc: "users" <users at lists.zetalliance.org>
> Enviadas: Segunda-feira, 27 de maio de 2019 5:28:54
> Assunto: Re: [Users] Did anyone have any issue with some balancer in front of
> Zimbra?

> Good morning Fabio,

> as stated here [1], X-Forwaded-For can pass multiple IPs. Including the IP of
> the Netscaler should add another IP to the list..

> cya,
> Brando B.

> [1] - [ https://en.wikipedia.org/wiki/X-Forwarded-For |
> https://en.wikipedia.org/wiki/X-Forwarded-For ]

>> Da: "Fabio S. Schmidt" <fabio at bktech.com.br>
>> A: "users" <users at lists.zetalliance.org>
>> Inviato: Venerdì, 24 maggio 2019 15:25:13
>> Oggetto: [Users] Did anyone have any issue with some balancer in front of
>> Zimbra?

>> Hello guys,

>> Our customers always use a balancer in front of Zimbra to balance the load and
>> implement H.A. at least for the proxy servers.

>> A particular customer use Netscaler and we have noticed that it is displaying
>> both the IPs (client and the balancer) on our logs:

>> ;mid=231 ;oip=10.32.90.33, 172.16.5.1

>> These logs are being displayed on zmmailboxd.out:

>> Ignoring malformed remote address 10.32.90.33, 172.16.5.1

>> Maybe should we include the Netscaler IP on the Zimbra trusted IP parameter?

>> Best regards.
>> Fabio S. Schmidt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20190527/336fb1c9/attachment.html>

More information about the Users mailing list