velaware Posted February 2, 2014 Report Share Posted February 2, 2014 After digging through Blesta's code for the past few months I've come up with a sound way to get a user's IP when proxying requests, but since this requires editing the core files too I'd rather not do it myself. In the Users.login function (in /blesta/app/models/users.php:function login) there's these two lines: if (!isset($vars['ip_address'])) $vars['ip_address'] = $this->ifSet($_SERVER['REMOTE_ADDR'], null); What I propose is making a company-specific option in [settings]->[Company]->General with an option of "Remote Address Header" automatically set to default as REMOTE_ADDR (and a notice saying "if you don't know what this means leave as default" basically). The reason behind this is not everyone can or wants to modify that header value and instead adds a different one (i.e.: X-Real-IP). The use case for this is people who have two different web servers installed. I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service. However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now. After this it would just take a simple change to the code above: if (!isset($vars['ip_address'])) $vars['ip_address'] = $this->ifSet($_SERVER[Configure::get("Blesta.ip_address_header")], null); Or similar. Quote Link to comment Share on other sites More sharing options...
Cody Posted February 5, 2014 Report Share Posted February 5, 2014 Why not just use $_SERVER['HTTP_X_FORWARDED_FOR'], as that is the variable for the X-Forwarded-For header and requires no user configuration in Blesta? Michael 1 Quote Link to comment Share on other sites More sharing options...
velaware Posted February 6, 2014 Author Report Share Posted February 6, 2014 Why not just use $_SERVER['HTTP_X_FORWARDED_FOR'], as that is the variable for the X-Forwarded-For header and requires no user configuration in Blesta? As long as it contains the real IP then that'd be fine too. I haven't messed w/ the passed headers so I don't know if every proxy setup will pass the correct values to it is all. Quote Link to comment Share on other sites More sharing options...
Cody Posted February 6, 2014 Report Share Posted February 6, 2014 X-Forwarded-For is the defacto/proposed standard for this very purpose. Quote Link to comment Share on other sites More sharing options...
Michael Posted February 6, 2014 Report Share Posted February 6, 2014 X-Forwarded-For is the defacto/proposed standard for this very purpose. Can we have that as default on Blesta mate, or is there a way we can edit a file to include it . Quote Link to comment Share on other sites More sharing options...
Cody Posted February 6, 2014 Report Share Posted February 6, 2014 We're researching this. Michael 1 Quote Link to comment Share on other sites More sharing options...
Max Posted February 6, 2014 Report Share Posted February 6, 2014 The use case for this is people who have two different web servers installed. I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service. However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now. What software are you running on the other web server? If it's Apache just use: http://httpd.apache.org/docs/current/mod/mod_remoteip.html Handling it at the webserver level instead of in PHP has the added bonus that it displays the real client IP in your access_log and statistics as well. Quote Link to comment Share on other sites More sharing options...
Max Posted February 6, 2014 Report Share Posted February 6, 2014 Can we have that as default on Blesta mate Never trust an X-Forwarded-For header by default, only when you actually have a proxy, and verified the connection came from the proxy IP. Otherwise I can pretend to be a proxy too and make my web browser send requests with an added "X-Forwarded-For: CubicWeb's IP" header Quote Link to comment Share on other sites More sharing options...
ctalkington Posted February 16, 2014 Report Share Posted February 16, 2014 this is most likely something that the server should handle globally, i know most apache reverse proxy use mod_rpaf which handles such things. im sure there are similar ways to do this with other web servers. It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it's list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure. It also takes the incoming X-Host header and updates the virtualhost settings accordingly. http://www.stderr.net/apache/rpaf/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.