Merge pull request #41 from ThomasBrierley/configurable-forwarded-ips

Configurable forwarded IPs
tsugiproject · Nov 17, 2024 · 29b642e · 29b642e
2 parents 2b51276 + 64d2878
commit 29b642e
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/src/Config/ConfigInfo.php b/src/Config/ConfigInfo.php
@@ -730,6 +730,23 @@ class ConfigInfo {
     public $websocket_url = false;
     public $websocket_proxyport = false;
 
+    /**
+     * If the web server is NOT behind a reverse proxy, you may optionally wish
+     * to ignore forwarded IP headers such as x-forwarded-for and variations by
+     * setting this to false. This will help to preserve authenticity of IPs by
+     * only trusting IP addresses directly seen by the server.
+     *
+     * Never set this to false if you ARE behind a reverse proxy, otherwise all
+     * requests will appear to originate from the same IP address (the proxy).
+     *
+     * If behind a reverse proxy, set to `true`:
+     *     $CFG->trust_forwarded_ip = true; // (default)
+     *
+     * If not using a reverse proxy, set to `false`:
+     *     $CFG->trust_forwarded_ip = false;
+     */
+    public $trust_forwarded_ip = true;
+
     /*
      * This is the internal version of the datbase.   This is an internal
      * value and set in setup.php and read in migrate.php - you should not

diff --git a/src/Util/Net.php b/src/Util/Net.php
@@ -476,6 +476,8 @@ public static function send400($msg='Malformed request', $detail=null) {
      */
     public static function getIP() {
 
+        global $CFG;
+
         //Just get the headers if we can or else use the SERVER global
         if ( function_exists( 'apache_request_headers' ) ) {
             $rawheaders = apache_request_headers();
@@ -497,6 +499,11 @@ public static function getIP() {
 
         $the_ip = false;
 
+        // When not behind proxy, trust IP from web server over headers
+        if ( $CFG->trust_forwarded_ip === false && array_key_exists( 'REMOTE_ADDR', $_SERVER ) ) {
+            $the_ip = filter_var( $_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, $filter_option );
+        }
+
         // Check Cloudflare headers
         if ( $the_ip === false && array_key_exists( 'http_cf_connecting_ip', $headers ) ) {
             $pieces = explode(',',$headers['http_cf_connecting_ip']);