http-auth-ip-whitelist over Sophos UTM proxy #20

New Issue

Closed

opened 2026-01-19 18:28:39 +00:00 by michael · 2 comments

michael commented 2026-01-19 18:28:39 +00:00

Owner

Copy Link

Originally created by @michaelscl on GitHub.

Hi,

In our company we have Sophos UTM as a reverse proxy.
I use transfer.sh under the name transfersh.xxxxx.cz over reverese proxy.

I have also disabled authentication for IP 10.10.100.1:
--http-auth-ip-whitelist 10.10.100.1

If I access transfer.sh via the name and this proxy, authentication pops up on me:

[transfer.sh]2024/07/16 09:18:51 10.10.100.1:0 - - [2024-07-16T09:18:51+02:00] "PUT /ALUNET%20CED.png HTTP/1.0" 200 "https://transfersh.xxxxx.cz/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"

If I go to the server directly, outside of the reverse proxy, authentication is skipped:

[transfer.sh]2024/07/16 09:18:54 10.10.100.1:52655 - - [2024-07-16T09:18:54+02:00] "PUT /ALUNET%20CED.png HTTP/1.1" 200  "http://10.8.1.142:8880/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0"

The only difference I see is that if I go through a proxy, transfer.sh identifies me as 10.10.100.1:0 and auth white list doesnt work, but if I go directly, the IP address already shows the port 10.10.100.1:52655 and auth white list works

Could the problem be the source port that Sophos is sending 0?
Is this source port also checked port > 0?

I use docker version tag v1.6.1

best regards

Michal

Originally created by @michaelscl on GitHub. Hi, In our company we have Sophos UTM as a reverse proxy. I use transfer.sh under the name transfersh.xxxxx.cz over reverese proxy. I have also disabled authentication for IP 10.10.100.1: _--http-auth-ip-whitelist 10.10.100.1_ If I access transfer.sh via the name and this proxy, authentication pops up on me: ``` [transfer.sh]2024/07/16 09:18:51 10.10.100.1:0 - - [2024-07-16T09:18:51+02:00] "PUT /ALUNET%20CED.png HTTP/1.0" 200 "https://transfersh.xxxxx.cz/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" ``` If I go to the server directly, outside of the reverse proxy, authentication is skipped: ``` [transfer.sh]2024/07/16 09:18:54 10.10.100.1:52655 - - [2024-07-16T09:18:54+02:00] "PUT /ALUNET%20CED.png HTTP/1.1" 200 "http://10.8.1.142:8880/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0" ``` The only difference I see is that if I go through a proxy, transfer.sh identifies me as **10.10.100.1:0** and auth white list doesnt work, but if I go directly, the IP address already shows the port **10.10.100.1:52655** and auth white list works Could the problem be the source port that Sophos is sending 0? Is this source port also checked port > 0? I use docker version tag v1.6.1 best regards Michal

michael closed this issue 2026-01-19 18:28:39 +00:00

michael commented 2026-01-19 18:28:39 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

@michaelscl it is because of the package we use to get the real ip address the request is coming from:
https://github.com/tomasen/realip/blob/master/realip.go#L53-L84

it returns X-Forwarded-For, filtering out private address (like "10.10.100.1", indeed), or if no public addres is found, it returns X-Real-Ip, regardless the address is private or not.
If none are set it returns http.Request.RemoteAddr

We'll have to find a new package (realip has no update in 8 years), that does not filter out private address.

Not sure how much configurable is Sophos UTM, but if you are able to set X-Real-Ip when requests come from "10.10.100.1" you should have a workaround

@paolafrancesca commented on GitHub: @michaelscl it is because of the package we use to get the real ip address the request is coming from: https://github.com/tomasen/realip/blob/master/realip.go#L53-L84 it returns `X-Forwarded-For`, filtering out private address (like "10.10.100.1", indeed), or if no public addres is found, it returns `X-Real-Ip`, regardless the address is private or not. If none are set it returns `http.Request.RemoteAddr` We'll have to find a new package (realip has no update in 8 years), that does not filter out private address. Not sure how much configurable is Sophos UTM, but if you are able to set `X-Real-Ip` when requests come from "10.10.100.1" you should have a workaround

michael commented 2026-01-19 18:28:39 +00:00

Author

Owner

Copy Link

@michaelscl commented on GitHub:

OK, Sophos has no such capabilities. So I will wait for new versions.
m.

@michaelscl commented on GitHub: OK, Sophos has no such capabilities. So I will wait for new versions. m.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/golang.org/x/net-0.38.0

revert-646-main

dependabot/go_modules/golang.org/x/oauth2-0.27.0

check-ci-20241026

aspacca-patch-1

seed-rand

fix-basic-auth

fix-header-map-change-after-writeheader-call

issue-503

issue-487

gpg-encryption-support

lint-accept-range

bump-min-go-version-and-include-tip

accept-range

local-google-fonts

parallel-range-requests

issue-485

sb/storj-bump

fix-perform-clamav-prescan

revert-389-clamav-prescan

clamav-prescan

changes-in-front-end

ISSUE-440

revert-422-main

master

golint

ISSUE-398

multiple-fixes

ISSUE-382-take2

ISSUE-382

fix-workflows

fixes-20210521

ISSUE-371

ISSUE-38-WEB

ISSUE-313

ISSUE-296

fuzz

BINARY-RELEASES

ISSUE-256

v1.6.1

v1.6.0

v1.5.0

v1.4.0

v1.3.1

v1.3.0

v1.2.6

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

Labels

Clear labels

bug

docker

enhancement

hacktoberfest

help wanted

invalid

question

storage provider

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#20