更新 IP 地址时输入无效

Hi,

There is a lot of errors in /logs, which states there is invalid input for update_ip_address operation.

image.png1144×335 71.1 KB

The discourse is deployed in Azure, with a separated PostgreSQL and Redis service.

Error logs:

/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-mini-profiler-0.10.7/lib/patches/db/pg.rb:90:in `async_exec'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rack-mini-profiler-0.10.7/lib/patches/db/pg.rb:90:in `async_exec'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/postgresql_adapter.rb:614:in `block (2 levels) in exec_no_cache'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/dependencies/interlock.rb:46:in `block in permit_concurrent_loads'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/concurrency/share_lock.rb:185:in `yield_shares'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/dependencies/interlock.rb:45:in `permit_concurrent_loads'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/postgresql_adapter.rb:613:in `block in exec_no_cache'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/abstract_adapter.rb:612:in `block (2 levels) in log'
/usr/local/lib/ruby/2.4.0/monitor.rb:214:in `mon_synchronize'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/abstract_adapter.rb:611:in `block in log'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activesupport-5.1.4/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/abstract_adapter.rb:603:in `log'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/postgresql_adapter.rb:612:in `exec_no_cache'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/postgresql_adapter.rb:599:in `execute_and_clear'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/postgresql/database_statements.rb:92:in `exec_delete'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/abstract/database_statements.rb:140:in `update'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/connection_adapters/abstract/query_cache.rb:17:in `update'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/relation.rb:380:in `update_all'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/persistence.rb:333:in `update_columns'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/activerecord-5.1.4/lib/active_record/persistence.rb:306:in `update_column'
/var/www/discourse/app/models/user.rb:529:in `update_ip_address!'
/var/www/discourse/lib/auth/default_current_user_provider.rb:74:in `block in current_user'
/var/www/discourse/lib/scheduler/defer.rb:74:in `block in do_work'
/var/www/discourse/vendor/bundle/ruby/2.4.0/gems/rails_multisite-1.1.2/lib/rails_multisite/connection_management.rb:77:in `with_connection'
/var/www/discourse/lib/scheduler/defer.rb:72:in `do_work'
/var/www/discourse/lib/scheduler/defer.rb:61:in `block (2 levels) in start_thread'

looks to me like you are forwarding an incorrect field to ip address. How do you have IP Address forwarding configured?

Thank you Sam.
I didn’t configure that on purpose. Where can I check the config?

In the Azure setup… somewhere. That data is not coming from within Discourse.

It’s ip address from our company proxy. I don’t know how is the portal address added. Can we just remove the port info to accept this ip?

No, it isn’t an IP address, and that’s the problem. If you’ve got a proxy that’s including a port number in what’s supposed to be an IP address, then the proxy is broken, and you’ll want to get that fixed.

I haven’t find the root cause yet. But I find a defected solution. By adding the following configuration in app.yml. I make the input of ip_address valid.

       filename: /etc/nginx/conf.d/discourse.conf
       from: $proxy_add_x_forwarded_for
       to: $http_your_original_ip_header
       global: true

The defected part is that the user ip_addresses are all 127.0.0.1 now. It’s not perfect, but the 500 errors won’t throw finally.

According to RFC 7239 - Forwarded HTTP Extension

5.2. Forwarded For

The “for” parameter is used to disclose information about the client
that initiated the request and subsequent proxies in a chain of
proxies. When proxies choose to use the “for” parameter, its default
configuration SHOULD contain an obfuscated identifier as described in
Section 6.3. If the server receiving proxied requests requires some
address-based functionality, this parameter MAY instead contain an IP
address (and, potentially, a port number). A third option is the
“unknown” identifier described in Section 6.2.

If your nginx setting is using $proxy_add_x_forwarded_for as the indicate of user ip. I think ip with port will be a valid input here. You may need to strip the port info out.

Well, this needs to be amended upstream then, see:

Feel free to raise a feature request for it at:

That RFC describes the format of the Forwarded: HTTP request header. The X-Forwarded-For header, which we’re examining, has different semantics.

Thanks for the correction.
And for Azure Gateway, it does have a different definition for x-forwarded-for.
See Frequently asked questions about Application Gateway | Microsoft Learn

Q. Does Application Gateway support x-forwarded-for headers?

Yes, Application Gateway inserts x-forwarded-for, x-forwarded-proto, and x-forwarded-port headers into the request forwarded to the backend. The format for x-forwarded-for header is a comma-separated list of IP:Port. The valid values for x-forwarded-proto are http or https. X-forwarded-port specifies the port at which the request reached at the Application Gateway.

I will seek solution in rack or Azure Gateway.
Thanks @sam also.

Hi,

Just to add to the conversation - this is standard practice in Azure Application Gateways, and it’s infuriating. They add the port to the forwarded-for header even though they also send it in the forwarded port header.

Two feedback/change requests on Microsoft which you can vote for;

• Azure Application Gateway x-forwarded-for remove port information – Customer Feedback for Microsoft Azure
• Support for dropping port out of x-forwarded-for header – Customer Feedback for Microsoft Azure

Our “fix” is also the same as the above step, we’re manually setting the forwarded-for header to a generic ip as this caused lots of issues with users being logged out or the site not working properly.

Just out of interest, we are using a httpd redirect within the network, does anyone know if it is possible to rewrite the header and remove the port? Failing that can it be done in nginx (I am unfamiliar with nginx)?

I would look at submitting a PR if we get this fixed but the comments above seem to suggest the devs would prefer this fixing upstream - is that the case?

Great news! Microsoft have fixed their insufferable nonsense. Sort of!

为明确起见，此功能仅适用于 SKU V2。因此，如果您使用的是 V1 版应用网关，则无法重写标头。

是的，对我们来说，一旦 v2 版本可用于生产工作负载，立即升级就物超所值。Azure 网关做了很多奇怪的事情，例如在转发 IP 后附加端口，这只是其中一项让我们抓狂的“主观”设计。静态 VIP 非常棒。

网关容量的自动扩展也非常出色，已经救过我们一两次了。而且，区域冗余功能终于到来，令人倍感欣慰。

迁移过程大约耗时 20 分钟，而我们拥有数百个监听器以及一些相对复杂的后端池。有一个 PowerShell 脚本可以协助您完成迁移，过程非常简单。

不确定您是否在网关上使用证书，但如果使用的话，v2 的速度极快——不再需要等待 40 分钟来应用证书，现在只需几秒钟。

定价方面要复杂得多（微软一手给予，另一手总会收回），但对我们来说，到目前为止，账单金额相同或更低。

你们真幸运。由于成本较高，一旦 V2 预览版结束，我们就不得不切换回 SKU V1。

无论如何，这个问题似乎已经在上游通过 一个已合并的 PR 得到解决，并应从 rack 2.0 版本开始包含。但根据 这个问题，它仍然缺失于当前的发布版本中。

暂时我在 CI/CD 过程中应用补丁来处理这个问题。这不算完美，但在我们于未来的 rack/ Discourse 发布中看到修复之前，它能起作用。

如果有人感兴趣，这是你需要在 lib/auth/default_current_user_provider.rb 中修改的部分，以消除多余的端口：

if current_user && should_update_last_seen?
  u = current_user
  ip_port_split = request.ip.split(':')
  ip_only = ip_port_split.first
  Scheduler::Defer.later "Updating Last Seen" do
    u.update_last_seen!
    u.update_ip_address!(ip_only)
  end
end

我不知道是否应该将该快速修复替换为该文件或其他文件（email_controller.rb、006-mini_profiler.rb、request_tracker.rb）中任何出现 request.ip 的地方，但这对我们来说有效。
如前所述，在构建/CI 过程中应用补丁可以保持代码库的整洁和可更新性。
任何“更优雅”的解决方案都欢迎。

简短跟进。
我上面提供的“修复”会导致一些问题，例如此处描述的问题。

目前，我们通过将此“分割”部分包裹在 begin…rescue…end 中来规避此问题，如下所示：

begin
  ip_port_split = request.ip.split(':')
  ip_only = ip_port_split.first
rescue
  ip_only = request.ip
end

此致
Sascha

因此，通过此提交（更新到 rack 2.0.8），Azure Application Gateway v1 的 ip:port 格式不再应成问题。