XF 2.0 Recommended HTTP Proxy for $config['http']['proxy'] ?

[Anomandaris]

When behind a reverse proxy, these features expose your origin IP to a resourceful attacker:

• Unfurl URL to a rich preview automatically
• Convert URLs to page titles
• Image Proxy

For protection I want to setup a proxy to use in combination with this config.php option:
$config['http']['proxy']

What is the simplest way to host my own? Or can anyone recommend a simple service? Any other considerations to think about? I was planning to just run a 5$/month droplet and set one up

Thank you in advance.

 

[Robust]

You can use a droplet, sure, or get some private proxies or something (less maintenance that way).

Note that, I believe, setting a proxy there will set the proxy settings for the XF HTTP client everywhere, including requests to payment gateways that use the HTTP client. So even if they're attacking your proxy droplet, it's not just luxury features that will be affected, some payment gateways will also not work.

I know some forums that had a lot of issues with DDoS attacks. Amongst other things, they disabled those features entirely and restricted image embedding to select known providers only (Google, Dropbox, imgur, etc.)

 

[Anomandaris]

how do you configure username and password for the proxy?

 

[Anomandaris]

I opened a support ticket and I was told that the http proxy client doesn't allow for authentication.

I ended up using tinyproxy on a 5$ DO droplet, easy to install and setup as a forward proxy for this purpose:

yum install -y epel-release
yum update -y
yum -y install tinyproxy

/usr/sbin/tinyproxy stop

nano -w /etc/tinyproxy/tinyproxy.conf

#modify the config and set:
XTinyproxy No # (turns off transparent proxy, stop sending source IP in header)

#Allow any IPs that will connect to this proxy, everything else will be auto denied
Allow xxx.xxx.xxx.xxx #replace xxx with your server IP, duh

/usr/sbin/tinyproxy start

works great

 

[rdn]

I opened a support ticket and I was told that the http proxy client doesn't allow for authentication.

But stated as supported here

XF 1.5 - Untrusted Http Client

A new config.php option $config['untrustedHttpClient'] has been added to allow you to specify a custom configuration when making untrusted HTTP calls such as via the image proxy. For example, this can allow you to direct the connection through a proxy to keep your server's IP hidden...

xenforo.com

 

[Anomandaris]

But stated as supported here

XF 1.5 - Untrusted Http Client

A new config.php option $config['untrustedHttpClient'] has been added to allow you to specify a custom configuration when making untrusted HTTP calls such as via the image proxy. For example, this can allow you to direct the connection through a proxy to keep your server's IP hidden...

xenforo.com

that didn't work on XF2 for me

 

[bluecrab]

When behind a reverse proxy, these features expose your origin IP to a resourceful attacker:

• Unfurl URL to a rich preview automatically
• Convert URLs to page titles
• Image Proxy

For protection I want to setup a proxy to use in combination with this config.php option:
$config['http']['proxy']

I'm using tinyproxy on a VPS and it's working beautifully. But, it looks like the Unfurl URL feature is bypassing the proxy. Or maybe unfurl is using javascript to unfurl the preview via the browser?

 

[Chris D]

Unfurling definitely uses the "untrusted" HTTP client which will always use the proxy if configured when it fetches the metadata, and it only happens on the first time the link is posted for the most part (it can be re-fetched later, but it always uses the proxyable HTTP client).

The image proxy should also be applied to the HTML that we render so that when the image is fetched via the proxy system that should also be proxied via the untrusted HTTP client.

We'd likely need a detailed reproduction case to confirm.

 

[bluecrab]

So here's what I'm seeing.

• Start new message.
• Insert a link to an image (insert image -> by URL).
• The image renders in my editor.
• I don't see any traffic on my proxy server.
• Only when I post the message do I see traffic on my proxy server.

So does the image preview rendering bypass the proxy? I checked with Wireshark and my browser is not rendering it.

 

[Chris D]

I checked with Wireshark and my browser is not rendering it.

I just double checked and actually it is being loaded from the client side and therefore it doesn't need to touch the proxy.

Only reasonable explanation I can come up with is if the image was already cached by your browser, you may not have seen it be requested via Wireshark, but I'm not certain about that.

The test I conducted was by using Insert image on this forum to request an image from a web server I have hosted locally and inspecting the incoming requests.

The request came from my client IPs in all cases which indicates that the browser is loading the image and therefore the image proxy is not involved.

 

[bluecrab]

Yes, you are correct, the image was cached in my browser.

I cleared my cache, inserted the image, and when the image rendered I saw my browser reach out via Wireshark.

Good to know. I feel very comfortable now knowing that my origin IP is not being leaked.

THANK YOU!!

 

[Nirjonadda]

@Chris D I have installed Tinyproxy and modify the Configuring TinyProxy and set.

XTinyproxy No

Allow Server IP

Add to config.php in Xenforo

$config['http']['proxy'] = 'http://Server IP:8888';

But still are using my server original IP address. Please can you let me know that how can hide our origin IP address?

 

[Chris D]

That should be it.

Which functionality specifically do you suspect is leaking your IP?

You could also have overzealous caching of your config.php file so you may need to restart PHP (or web server depending how PHP is configured).

 

[bluecrab]

Make sure that you're not using any add-ons that might bypass the proxy.

I was using the "Convert Image 3.3" add-on by XF2 Addons and discovered that it bypasses the proxy. I contacted Andy (the developer) and he has a new version coming out tonight that fixes the issue.

 

[Chris D]

Yeah this was my first suspicion. Any add-ons not using core functionality are actually falling short of the expected resource standards so they should be fixed ASAP but if the author is slow or reluctant to do so then we’ll happily step in.

 

[Anomandaris]

I made a quick tutorial on how to setup TinyProxy to do this, maybe it will be helpful to people that find this thread

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

 

[bluecrab]

Nice video, thanks!

I originally had my TinyProxy running on a $5/month Digital Ocean droplet too, but I moved it to a Leaseweb "gp micro" VPS (also $5/month) because they have a free hardware firewall that stands between the VPS and Internet. With the firewall, I'm only allowing inbound connections from my XF server. This means that my TinyProxy VPS is virtually untouchable by any other computer on the Internet... So no worries about DDoS attacks or other nasty stuff to that box too. So that, coupled with Cloudflare for my XF server, keeps everything locked down nicely.

Also, with the Leaseweb VPS, I'm getting a slightly better deal... 4 TB of traffic vs 1 TB with DO... not that TinyProxy needs that much!

 

[rosal]

Nice video, thanks!

I originally had my TinyProxy running on a $5/month Digital Ocean droplet too, but I moved it to a Leaseweb "gp micro" VPS (also $5/month) because they have a free hardware firewall that stands between the VPS and Internet. With the firewall, I'm only allowing inbound connections from my XF server. This means that my TinyProxy VPS is virtually untouchable by any other computer on the Internet... So no worries about DDoS attacks or other nasty stuff to that box too. So that, coupled with Cloudflare for my XF server, keeps everything locked down nicely.

Also, with the Leaseweb VPS, I'm getting a slightly better deal... 4 TB of traffic vs 1 TB with DO... not that TinyProxy needs that much!

This is interesting, where i can find information about that?
Do you have to request the firewall or is available in control panel?

Regards

 

[bluecrab]

This is interesting, where i can find information about that?
Do you have to request the firewall or is available in control panel?

The firewall settings are available from the Leaseweb Customer Portal. Since it's a hardware firewall, it can't be controlled from the VPS itself.

 

[rosal]

The firewall settings are available from the Leaseweb Customer Portal. Since it's a hardware firewall, it can't be controlled from the VPS itself.

Already found this option.

Managing VPS firewall - Knowledge Base - Leaseweb

For your VPS Leaseweb offers free Basic Firewall functionality which you can enable to restrict and control access to the VPS.

kb.leaseweb.com

I dont have any host one them, but the next one will be there to test this