Skip to content

Commit 29b642e

Browse files
csevcsev
authored
Merge pull request #41 from ThomasBrierley/configurable-forwarded-ips
Configurable forwarded IPs
2 parents 2b51276 + 64d2878 commit 29b642e

File tree

2 files changed

+24
-0
lines changed

2 files changed

+24
-0
lines changed

src/Config/ConfigInfo.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -730,6 +730,23 @@ class ConfigInfo {
730730
public $websocket_url = false;
731731
public $websocket_proxyport = false;
732732

733+
/**
734+
* If the web server is NOT behind a reverse proxy, you may optionally wish
735+
* to ignore forwarded IP headers such as x-forwarded-for and variations by
736+
* setting this to false. This will help to preserve authenticity of IPs by
737+
* only trusting IP addresses directly seen by the server.
738+
*
739+
* Never set this to false if you ARE behind a reverse proxy, otherwise all
740+
* requests will appear to originate from the same IP address (the proxy).
741+
*
742+
* If behind a reverse proxy, set to `true`:
743+
* $CFG->trust_forwarded_ip = true; // (default)
744+
*
745+
* If not using a reverse proxy, set to `false`:
746+
* $CFG->trust_forwarded_ip = false;
747+
*/
748+
public $trust_forwarded_ip = true;
749+
733750
/*
734751
* This is the internal version of the datbase. This is an internal
735752
* value and set in setup.php and read in migrate.php - you should not

src/Util/Net.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -476,6 +476,8 @@ public static function send400($msg='Malformed request', $detail=null) {
476476
*/
477477
public static function getIP() {
478478

479+
global $CFG;
480+
479481
//Just get the headers if we can or else use the SERVER global
480482
if ( function_exists( 'apache_request_headers' ) ) {
481483
$rawheaders = apache_request_headers();
@@ -497,6 +499,11 @@ public static function getIP() {
497499

498500
$the_ip = false;
499501

502+
// When not behind proxy, trust IP from web server over headers
503+
if ( $CFG->trust_forwarded_ip === false && array_key_exists( 'REMOTE_ADDR', $_SERVER ) ) {
504+
$the_ip = filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, $filter_option );
505+
}
506+
500507
// Check Cloudflare headers
501508
if ( $the_ip === false && array_key_exists( 'http_cf_connecting_ip', $headers ) ) {
502509
$pieces = explode(',',$headers['http_cf_connecting_ip']);

0 commit comments

Comments
 (0)