Jump to content

Get User's Ip When Proxying Requests

velaware

By velaware
in Feature Requests

 Share

Recommended Posts

velaware Newbie

velaware

Posted
Posted

After digging through Blesta's code for the past few months I've come up with a sound way to get a user's IP when proxying requests, but since this requires editing the core files too I'd rather not do it myself.

 

In the Users.login function (in /blesta/app/models/users.php:function login) there's these two lines:

                if (!isset($vars['ip_address']))
                        $vars['ip_address'] = $this->ifSet($_SERVER['REMOTE_ADDR'], null);

What I propose is making a company-specific option in [settings]->[Company]->General with an option of "Remote Address Header" automatically set to default as REMOTE_ADDR (and a notice saying "if you don't know what this means leave as default" basically).

 

The reason behind this is not everyone can or wants to modify that header value and instead adds a different one (i.e.: X-Real-IP).

 

The use case for this is people who have two different web servers installed.  I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service.  However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now.

 

After this it would just take a simple change to the code above:

                if (!isset($vars['ip_address']))
                        $vars['ip_address'] = $this->ifSet($_SERVER[Configure::get("Blesta.ip_address_header")], null);

Or similar.

velaware Newbie

velaware

Posted
  • Author
Posted
  On 2/5/2014 at 6:29 PM, Cody said:

Why not just use $_SERVER['HTTP_X_FORWARDED_FOR'], as that is the variable for the X-Forwarded-For header and requires no user configuration in Blesta?

As long as it contains the real IP then that'd be fine too.  I haven't messed w/ the passed headers so I don't know if every proxy setup will pass the correct values to it is all.

Michael Apprentice

Michael

Posted
Posted
  On 2/6/2014 at 4:02 PM, Cody said:

X-Forwarded-For is the defacto/proposed standard for this very purpose.

 

Can we have that as default on Blesta mate, or is there a way we can edit a file to include it :).

Max Newbie

Max

Posted
Posted
  On 2/2/2014 at 3:04 PM, secforus_ehansen said:
The use case for this is people who have two different web servers installed.  I.e.: I have Nginx installed on my server which serves all static content then just passes all PHP requests to another web service.  However, the other web service listens on a private IP so it only fetches that with the way Blesta is right now.

 

What software are you running on the other web server?

If it's Apache just use: http://httpd.apache.org/docs/current/mod/mod_remoteip.html

 

Handling it at the webserver level instead of in PHP has the added bonus that it displays the real client IP in your access_log and statistics as well.

Max Newbie

Max

Posted
Posted
  On 2/6/2014 at 4:18 PM, CubicWebs said:

Can we have that as default on Blesta mate

 

Never trust an X-Forwarded-For header by default, only when you actually have a proxy, and verified the connection came from the proxy IP.

Otherwise I can pretend to be a proxy too and make my web browser send requests with an added "X-Forwarded-For: CubicWeb's IP" header ;)

  • 2 weeks later...
ctalkington Newbie

ctalkington

Posted
Posted

this is most likely something that the server should handle globally, i know most apache reverse proxy use mod_rpaf which handles such things. im sure there are similar ways to do this with other web servers.

 

  Quote

 

 

It changes the remote address of the client visible to other Apache modules when two conditions are satisfied. First condition is that the remote client is actually a proxy that is defined in httpd.conf. Secondly if there is an incoming X-Forwarded-For header and the proxy is in it's list of known proxies it takes the last IP from the incoming X-Forwarded-For header and changes the remote address of the client in the request structure. It also takes the incoming X-Host header and updates the virtualhost settings accordingly.

 

http://www.stderr.net/apache/rpaf/

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...