Now, let´s talk about stunnel+ratchet solution without ha-proxy:
On my server I use ratchet+stunnel only (apache for pages).
As the proxy option was not available for me as is available for ha-proxy, I had to search for a way to send the ip address from the client to use at ratchet server.
BEFORE YOU BEGIN SAVE YOUR STUNNEL CONFIGURATION FILE AND CERTIFICATES!!!!
If you reach this point your are almost good to go!
Just add this conf inside stunnel.conf: xforwardedfor = yes
How to access header from ratchet:
$myvar= $conn->WebSocket->request->getHeader('X-Forwarded-For', true);
Personal notes:
I don´t like using X-forwarded-for on my systems.
This is a very common header and for security reasons, as we are patching the code from source, why not change the header name?
Also, let´s assume that the client is acessing stunnel from a proxy system:
Client ==> Proxy ==> Stunnel ==> Ratchet
| Ip from proxy will be received by stunnel
and maybe the real client ip address will be at X-forwarded-for header
In this case above, if we use the x-forwarded-for header patch. We will overwrite the real client ip address and will receive the proxy address only.
So, for both reasons, let´s change the header for a crazy and private one!
Inside stunnel source directory, enter src folder and edit client.c
on the code, find this line:
/* X-Forwarded-For: xxxx \r\n\0 */
char xforw[17 + IPLEN + 3];
Now you can change for something personal and private, like mine:
/* X-Forwarded-For: xxxx \r\n\0 */
char xforw[24 + IPLEN + 3];
/* We have all the HTTP headers now. We don't need to
* reserve any space anymore. <ssl_ptr> points to the
* first byte of unread data, and <last> points to the
* exact location where we want to insert our headers,
* which is right before the empty line.
*/
c->buffsize = BUFFSIZE;
/* We will insert our X-Forwarded-For: header here.
* We need to write the IP address, but if we use
* sprintf, it will pad with the terminating 0.
* So we will pass via a temporary buffer allocated
* on the stack.
*/
memcpy(xforw, "IP_Stunnel_Patch_Pucci: ", 24);
if (getnameinfo(&c->peer_addr.sa,
c->peer_addr_len,
xforw + 24, IPLEN, NULL, 0,
NI_NUMERICHOST) == 0) {
strcat(xforw + 24, "\r\n");
buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
c->buffsize, xforw);
}
/* last still points to the \r\n and ssl_ptr to the
* end of the buffer, so we may add as many headers
* as wee need to.
*/
So now I can access either the ip addres from the internet and also when a proxy redirects for me:
$ipfrominternet= $conn->WebSocket->request->getHeader('IP_Stunnel_Patch_Pucci', true);
$internalipsendbyproxy = $conn->WebSocket->request->getHeader('X-Forwarded-For', true);
Some dudes commented that this workaround will send the ip address only during the first http message.
If some kind of http keepalive is used. The ip address will not be available in the subsequent packages.
From the ratchet point of view, seems that ratchet knows about this and saves the header during the connection duration.
I tested a little and could get the ip address inside OnConnection() and OnMessage()
Any questions or doubts, feel free to write here
Thanks,
Pucci