X-Forwarded-For header #2257

New Issue

OVERLORD · 2026-02-05T03:28:50+03:00

OVERLORD commented

2026-02-05 03:28:50 +03:00

Originally created by @sorano on GitHub (May 21, 2021).

Describe the feature you'd like
It would be nice to support the X-Forwarded-For header

Describe the benefits this feature would bring to BookStack users
When hosting bookstack behind a reverse proxy any login will show the IP from the reverse proxy instead of the IP of originating user. For trackability and identification it would be nice to see the real IP.

Additional context
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

Originally created by @sorano on GitHub (May 21, 2021). **Describe the feature you'd like** It would be nice to support the X-Forwarded-For header **Describe the benefits this feature would bring to BookStack users** When hosting bookstack behind a reverse proxy any login will show the IP from the reverse proxy instead of the IP of originating user. For trackability and identification it would be nice to see the real IP. **Additional context** https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

OVERLORD closed this issue

2026-02-05 03:28:51 +03:00

OVERLORD commented

2026-02-05 03:28:57 +03:00

@sorano commented on GitHub (May 21, 2021):

Laravel supports this already:
https://laravel.com/docs/8.x/requests#configuring-trusted-proxies

@sorano commented on GitHub (May 21, 2021): Laravel supports this already: https://laravel.com/docs/8.x/requests#configuring-trusted-proxies

OVERLORD commented

2026-02-05 03:29:01 +03:00

@ssddanbrown commented on GitHub (May 22, 2021):

Thanks for the suggestion @sorano,
Can you confirm where you're seeing the IP address within BookStack?

@ssddanbrown commented on GitHub (May 22, 2021): Thanks for the suggestion @sorano, Can you confirm where you're seeing the IP address within BookStack?

OVERLORD commented

2026-02-05 03:29:03 +03:00

@sorano commented on GitHub (May 22, 2021):

Well, I havent actually been looking "within" bookstack. The apache vhost configuration has:

    ErrorLog error.log
    CustomLog access.log combined

So I'm looking at access.log and seeing log entries like these:

172.25.0.124 - - [22/May/2021:14:43:20 +0200] "GET /login HTTP/1.1" 200 3136 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"

Where 172.25.0.124 is the IP of the reverse proxy. However I guess logging within the application would be needed to show the real IP since apache access would be processed before.

@sorano commented on GitHub (May 22, 2021): Well, I havent actually been looking "within" bookstack. The apache vhost configuration has: > ErrorLog error.log > CustomLog access.log combined So I'm looking at access.log and seeing log entries like these: `172.25.0.124 - - [22/May/2021:14:43:20 +0200] "GET /login HTTP/1.1" 200 3136 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36"` Where 172.25.0.124 is the IP of the reverse proxy. However I guess logging within the application would be needed to show the real IP since apache access would be processed before.

OVERLORD commented

2026-02-05 03:29:06 +03:00

@ssddanbrown commented on GitHub (May 22, 2021):

@sorano I don't think we'd have any control over what apache is logging in that regard.

You'll likely need to alter the LogFormat like so:
https://docs.rightscale.com/faq/How_can_I_log_the_source_client_IP_of_an_app_request_on_my_backend_Apache_application_server.html

Or maybe attempt using mod_remoteip?

@ssddanbrown commented on GitHub (May 22, 2021): @sorano I don't think we'd have any control over what apache is logging in that regard. You'll likely need to alter the LogFormat like so: https://docs.rightscale.com/faq/How_can_I_log_the_source_client_IP_of_an_app_request_on_my_backend_Apache_application_server.html Or maybe attempt using [mod_remoteip](https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html)?

OVERLORD commented

2026-02-05 03:29:09 +03:00

@ssddanbrown commented on GitHub (May 26, 2021):

Will therefore close this off. If you're sure that BookStack determines any IP address you see then feel free to comment with any evidence and I'll reopen this.

@ssddanbrown commented on GitHub (May 26, 2021): Will therefore close this off. If you're sure that BookStack determines any IP address you see then feel free to comment with any evidence and I'll reopen this.

OVERLORD commented

2026-02-05 03:29:12 +03:00

@tipuraneo commented on GitHub (Aug 3, 2023):

I faced the same issue: Reverse Proxy IPs where shown in the apache and bookstack audit logs. Solved it with the apache module remoteip. Now real client ips appear in apache and audit logs.

Enable module:

a2enmod remoteip

Add config
/etc/apache2/apache2.conf

# Header config
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy [IPs or CIDR subnets]

Restart Apache

apache2ctl configtest
apache2ctl restart

@tipuraneo commented on GitHub (Aug 3, 2023): I faced the same issue: Reverse Proxy IPs where shown in the apache and bookstack audit logs. Solved it with the apache module _remoteip_. Now real client ips appear in apache and audit logs. Enable module: ``` a2enmod remoteip ``` Add config /etc/apache2/apache2.conf ``` # Header config RemoteIPHeader X-Forwarded-For RemoteIPInternalProxy [IPs or CIDR subnets] ``` Restart Apache ``` apache2ctl configtest apache2ctl restart ```

OVERLORD referenced this issue

2026-02-05 10:21:31 +03:00

[PR #2257] [MERGED] Decode HTML entities in excerpts #5966

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2257