velaware Posted February 2, 2014 Report Posted February 2, 2014 After digging through Blesta's code for the past few months I've come up with a sound way to get a user's IP when proxying requests, but since this requires editing the core files too I'd rather not do it myself. In the Users.login function (in /blesta/app/models/users.php:function login) there's these two lines: if (!isset($vars['ip_address'])) $vars['ip_address'] = $this->ifSet($_SERVER['REMOTE_ADDR'], null); What I propose is making a company-specific option in [settings]->[Company]->General with an option of "Remote Address Header" automatically set to default as REMOTE_ADDR (and a notice saying "if you don't know what this means leave as default" basically). The reason behind this is not everyone can or wants to modify that header value and instead adds a different one (i.e.: X-Real-IP). The use case for this is people who have two different web servers installed. I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service. However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now. After this it would just take a simple change to the code above: if (!isset($vars['ip_address'])) $vars['ip_address'] = $this->ifSet($_SERVER[Configure::get("Blesta.ip_address_header")], null); Or similar.
Cody Posted February 5, 2014 Report Posted February 5, 2014 Why not just use $_SERVER['HTTP_X_FORWARDED_FOR'], as that is the variable for the X-Forwarded-For header and requires no user configuration in Blesta? Michael 1
velaware Posted February 6, 2014 Author Report Posted February 6, 2014 On 2/5/2014 at 6:29 PM, Cody said: Why not just use $_SERVER['HTTP_X_FORWARDED_FOR'], as that is the variable for the X-Forwarded-For header and requires no user configuration in Blesta? As long as it contains the real IP then that'd be fine too. I haven't messed w/ the passed headers so I don't know if every proxy setup will pass the correct values to it is all.
Cody Posted February 6, 2014 Report Posted February 6, 2014 X-Forwarded-For is the defacto/proposed standard for this very purpose.
Michael Posted February 6, 2014 Report Posted February 6, 2014 On 2/6/2014 at 4:02 PM, Cody said: X-Forwarded-For is the defacto/proposed standard for this very purpose. Can we have that as default on Blesta mate, or is there a way we can edit a file to include it .
Max Posted February 6, 2014 Report Posted February 6, 2014 On 2/2/2014 at 3:04 PM, secforus_ehansen said: The use case for this is people who have two different web servers installed. I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service. However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now. What software are you running on the other web server? If it's Apache just use: http://httpd.apache.org/docs/current/mod/mod_remoteip.html Handling it at the webserver level instead of in PHP has the added bonus that it displays the real client IP in your access_log and statistics as well.
Max Posted February 6, 2014 Report Posted February 6, 2014 On 2/6/2014 at 4:18 PM, CubicWebs said: Can we have that as default on Blesta mate Never trust an X-Forwarded-For header by default, only when you actually have a proxy, and verified the connection came from the proxy IP. Otherwise I can pretend to be a proxy too and make my web browser send requests with an added "X-Forwarded-For: CubicWeb's IP" header
ctalkington Posted February 16, 2014 Report Posted February 16, 2014 this is most likely something that the server should handle globally, i know most apache reverse proxy use mod_rpaf which handles such things. im sure there are similar ways to do this with other web servers. Quote It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it's list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure. It also takes the incoming X-Host header and updates the virtualhost settings accordingly. http://www.stderr.net/apache/rpaf/
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now