XF 2.0 Recommended HTTP Proxy for $config['http']['proxy'] ?

Anomandaris · Aug 26, 2019

When behind a reverse proxy, these features expose your origin IP to a resourceful attacker:

Unfurl URL to a rich preview automatically
Convert URLs to page titles
Image Proxy

For protection I want to setup a proxy to use in combination with this config.php option:
$config['http']['proxy']

What is the simplest way to host my own? Or can anyone recommend a simple service? Any other considerations to think about? I was planning to just run a 5$/month droplet and set one up

Thank you in advance.

Robust · Aug 26, 2019

You can use a droplet, sure, or get some private proxies or something (less maintenance that way).

Note that, I believe, setting a proxy there will set the proxy settings for the XF HTTP client everywhere, including requests to payment gateways that use the HTTP client. So even if they're attacking your proxy droplet, it's not just luxury features that will be affected, some payment gateways will also not work.

I know some forums that had a lot of issues with DDoS attacks. Amongst other things, they disabled those features entirely and restricted image embedding to select known providers only (Google, Dropbox, imgur, etc.)

Anomandaris · Aug 27, 2019

how do you configure username and password for the proxy?

Anomandaris · Aug 28, 2019

I opened a support ticket and I was told that the http proxy client doesn't allow for authentication.

I ended up using tinyproxy on a 5$ DO droplet, easy to install and setup as a forward proxy for this purpose:

NGINX:

yum install -y epel-release
yum update -y
yum -y install tinyproxy

/usr/sbin/tinyproxy stop

nano -w /etc/tinyproxy/tinyproxy.conf

#modify the config and set:
XTinyproxy No # (turns off transparent proxy, stop sending source IP in header)

#Allow any IPs that will connect to this proxy, everything else will be auto denied
Allow xxx.xxx.xxx.xxx #replace xxx with your server IP, duh

/usr/sbin/tinyproxy start

works great

rdn · Jan 30, 2020

Anomandaris said:
I opened a support ticket and I was told that the http proxy client doesn't allow for authentication.

But stated as supported here

XF 1.5 - Untrusted Http Client

A new config.php option $config['untrustedHttpClient'] has been added to allow you to specify a custom configuration when making untrusted HTTP calls such as via the image proxy. For example, this can allow you to direct the connection through a proxy to keep your server's IP hidden...

xenforo.com

Anomandaris · Jan 30, 2020

rdn said:
But stated as supported here

XF 1.5 - Untrusted Http Client

A new config.php option $config['untrustedHttpClient'] has been added to allow you to specify a custom configuration when making untrusted HTTP calls such as via the image proxy. For example, this can allow you to direct the connection through a proxy to keep your server's IP hidden...

xenforo.com

that didn't work on XF2 for me

bluecrab · Apr 16, 2020

Anomandaris said:
When behind a reverse proxy, these features expose your origin IP to a resourceful attacker:

Unfurl URL to a rich preview automatically

Convert URLs to page titles

Image Proxy

For protection I want to setup a proxy to use in combination with this config.php option:
$config['http']['proxy']

I'm using tinyproxy on a VPS and it's working beautifully. But, it looks like the Unfurl URL feature is bypassing the proxy. Or maybe unfurl is using javascript to unfurl the preview via the browser?

Chris D · Apr 16, 2020

Unfurling definitely uses the "untrusted" HTTP client which will always use the proxy if configured when it fetches the metadata, and it only happens on the first time the link is posted for the most part (it can be re-fetched later, but it always uses the proxyable HTTP client).

The image proxy should also be applied to the HTML that we render so that when the image is fetched via the proxy system that should also be proxied via the untrusted HTTP client.

We'd likely need a detailed reproduction case to confirm.

bluecrab · Apr 16, 2020

So here's what I'm seeing.

Start new message.
Insert a link to an image (insert image -> by URL).
The image renders in my editor.
I don't see any traffic on my proxy server.
Only when I post the message do I see traffic on my proxy server.

So does the image preview rendering bypass the proxy? I checked with Wireshark and my browser is not rendering it.

Chris D · Apr 16, 2020

bluecrab said:
I checked with Wireshark and my browser is not rendering it.

I just double checked and actually it is being loaded from the client side and therefore it doesn't need to touch the proxy.

Only reasonable explanation I can come up with is if the image was already cached by your browser, you may not have seen it be requested via Wireshark, but I'm not certain about that.

The test I conducted was by using Insert image on this forum to request an image from a web server I have hosted locally and inspecting the incoming requests.

The request came from my client IPs in all cases which indicates that the browser is loading the image and therefore the image proxy is not involved.

bluecrab · Apr 16, 2020

Yes, you are correct, the image was cached in my browser.

I cleared my cache, inserted the image, and when the image rendered I saw my browser reach out via Wireshark.

Good to know. I feel very comfortable now knowing that my origin IP is not being leaked.

THANK YOU!!

Nirjonadda · Apr 16, 2020

@Chris D I have installed Tinyproxy and modify the Configuring TinyProxy and set.

Code:

XTinyproxy No

Allow Server IP

Add to config.php in Xenforo

Code:

$config['http']['proxy'] = 'http://Server IP:8888';

But still are using my server original IP address. Please can you let me know that how can hide our origin IP address?

Chris D · Apr 16, 2020

That should be it.

Which functionality specifically do you suspect is leaking your IP?

You could also have overzealous caching of your config.php file so you may need to restart PHP (or web server depending how PHP is configured).

bluecrab · Apr 16, 2020

Make sure that you're not using any add-ons that might bypass the proxy.

I was using the "Convert Image 3.3" add-on by XF2 Addons and discovered that it bypasses the proxy. I contacted Andy (the developer) and he has a new version coming out tonight that fixes the issue.

Chris D · Apr 16, 2020

Yeah this was my first suspicion. Any add-ons not using core functionality are actually falling short of the expected resource standards so they should be fixed ASAP but if the author is slow or reluctant to do so then we’ll happily step in.

Anomandaris · Apr 23, 2020

I made a quick tutorial on how to setup TinyProxy to do this, maybe it will be helpful to people that find this thread

bluecrab · Apr 23, 2020

Nice video, thanks!

I originally had my TinyProxy running on a $5/month Digital Ocean droplet too, but I moved it to a Leaseweb "gp micro" VPS (also $5/month) because they have a free hardware firewall that stands between the VPS and Internet. With the firewall, I'm only allowing inbound connections from my XF server. This means that my TinyProxy VPS is virtually untouchable by any other computer on the Internet... So no worries about DDoS attacks or other nasty stuff to that box too. So that, coupled with Cloudflare for my XF server, keeps everything locked down nicely.

Also, with the Leaseweb VPS, I'm getting a slightly better deal... 4 TB of traffic vs 1 TB with DO... not that TinyProxy needs that much!

rosal · May 7, 2020

bluecrab said:
Nice video, thanks!

I originally had my TinyProxy running on a $5/month Digital Ocean droplet too, but I moved it to a Leaseweb "gp micro" VPS (also $5/month) because they have a free hardware firewall that stands between the VPS and Internet. With the firewall, I'm only allowing inbound connections from my XF server. This means that my TinyProxy VPS is virtually untouchable by any other computer on the Internet... So no worries about DDoS attacks or other nasty stuff to that box too. So that, coupled with Cloudflare for my XF server, keeps everything locked down nicely.

Also, with the Leaseweb VPS, I'm getting a slightly better deal... 4 TB of traffic vs 1 TB with DO... not that TinyProxy needs that much!

This is interesting, where i can find information about that?
Do you have to request the firewall or is available in control panel?

Regards

bluecrab · May 7, 2020

rosal said:
This is interesting, where i can find information about that?
Do you have to request the firewall or is available in control panel?

The firewall settings are available from the Leaseweb Customer Portal. Since it's a hardware firewall, it can't be controlled from the VPS itself.

rosal · May 7, 2020

bluecrab said:
The firewall settings are available from the Leaseweb Customer Portal. Since it's a hardware firewall, it can't be controlled from the VPS itself.

Already found this option.

Managing VPS firewall - Knowledge Base

Leaseweb Knowledge Base - Find all your answers to your questions related to Leaseweb services

kb.leaseweb.com

I dont have any host one them, but the next one will be there to test this

XF 2.0 Recommended HTTP Proxy for $config['http']['proxy'] ?

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Well-known member

Member

XenForo developer

Member

XenForo developer

Member

Well-known member

XenForo developer

Member

XenForo developer

Well-known member

Member

Active member

Member

Active member

Similar threads

We value your privacy