Proxying a client request - pass client IP address

[sephrat 16]

I'm contributing on an app that uses Emby authentication to allow access to our app.

At the moment, the login activity shows under the IP address of the server that runs the app. I'd like Emby to show the IP of the end user.

I tried to set X-Forwarded-For and/or X-Real-IP, but Emby will always display my IP address instead of the one I set.

curl --location 'http://redacted/emby/users/authenticatebyname' \
--header 'X-Emby-Authorization: MediaBrowser Client="Test", Device="Test", DeviceId="test", Version="test"' \
--header 'X-Forwarded-For: 192.168.2.123' \
--header 'X-Real-IP: 192.168.2.123' \
--form 'username="redacted"' \
--form 'pw="redacted"'

Result:

I'm assuming this is for security reason, but people do manage to trick it with reverse proxies, so what's the trick?

Additional question: if I manage to make it work, would Emby count several devices (one for each forwarded IP address) instead of a single device (the app server), thus bringing us closer to the Premiere device limit?

 

[Luke 37054]

Hi, what app? in the upcoming 4.8 server release there will be no way to do this, although we're open to suggestions on possible improvements.

You can still use those headers to specify a remote ip, but you won't be able to use them to specify a LAN ip, and this is for security reasons to prevent a remote connection from being able to trick the server into thinking it's on the local network.

[sephrat 16]

Ah right, I should have tested with a WAN IP address. Thanks for the detailed answer, it does work now.

From my first tests, it seems that the "Test" device I used is still counted as a single device even when logging in with different accounts and IP addresses. I assume this is because we use a unique DeviceId, correct?

The app is Ombi. We're only using Emby as some sort of LDAP provider. I don't believe this is even considered as a Premiere feature, right?

Edited May 22, 2023 by sephrat