Get User's Ip When Proxying Requests

[velaware]

After digging through Blesta's code for the past few months I've come up with a sound way to get a user's IP when proxying requests, but since this requires editing the core files too I'd rather not do it myself.

 

In the Users.login function (in /blesta/app/models/users.php:function login) there's these two lines:

                if (!isset($vars['ip_address']))
                        $vars['ip_address'] = $this->ifSet($_SERVER['REMOTE_ADDR'], null);

What I propose is making a company-specific option in [settings]->[Company]->General with an option of "Remote Address Header" automatically set to default as REMOTE_ADDR (and a notice saying "if you don't know what this means leave as default" basically).

 

The reason behind this is not everyone can or wants to modify that header value and instead adds a different one (i.e.: X-Real-IP).

 

The use case for this is people who have two different web servers installed.  I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service.  However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now.

 

After this it would just take a simple change to the code above:

                if (!isset($vars['ip_address']))
                        $vars['ip_address'] = $this->ifSet($_SERVER[Configure::get("Blesta.ip_address_header")], null);

Or similar.

[Cody]

Why not just use $_SERVER['HTTP_X_FORWARDED_FOR'], as that is the variable for the X-Forwarded-For header and requires no user configuration in Blesta?

[velaware]

Why not just use $_SERVER['HTTP_X_FORWARDED_FOR'], as that is the variable for the X-Forwarded-For header and requires no user configuration in Blesta?

As long as it contains the real IP then that'd be fine too.  I haven't messed w/ the passed headers so I don't know if every proxy setup will pass the correct values to it is all.

[Cody]

X-Forwarded-For is the defacto/proposed standard for this very purpose.

[Michael]

X-Forwarded-For is the defacto/proposed standard for this very purpose.

 

Can we have that as default on Blesta mate, or is there a way we can edit a file to include it .

[Cody]

We're researching this.

[Max]

The use case for this is people who have two different web servers installed.  I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service.  However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now.

 

What software are you running on the other web server?

If it's Apache just use: http://httpd.apache.org/docs/current/mod/mod_remoteip.html

 

Handling it at the webserver level instead of in PHP has the added bonus that it displays the real client IP in your access_log and statistics as well.

[Max]

Can we have that as default on Blesta mate

 

Never trust an X-Forwarded-For header by default, only when you actually have a proxy, and verified the connection came from the proxy IP.

Otherwise I can pretend to be a proxy too and make my web browser send requests with an added "X-Forwarded-For: CubicWeb's IP" header

[ctalkington]

this is most likely something that the server should handle globally, i know most apache reverse proxy use mod_rpaf which handles such things. im sure there are similar ways to do this with other web servers.

 

 

 

It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it's list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure. It also takes the incoming X-Host header and updates the virtualhost settings accordingly.

 

http://www.stderr.net/apache/rpaf/