Matus UHLAR - fantomas wrote:
Mehmet ÇELiK wrote:
In your vBulletin includes/init.php file change "define('IPADDRESS',
$_SERVER['REMOTE_ADDR']);" to "define('IPADDRESS',
$_SERVER['HTTP_X_FORWARDED_FOR']);".
No. I don't this. Because, this is not right method..
On 09.01.09 22:40, Amos Jeffries wrote:
In my PHP-apps I do the equivalent of this:
if ($trust_XFF && $_SERVER['HTTP_X_FORWARDED_FOR'])
define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);
else
define('IPADDRESS', $_SERVER['REMOTE_ADDR']);
Is that working? Afaik, x-forwarded-for may contain more IP addresses, where
not all of them may be trusted. I think that proper validator should have
list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR
until untrusted IP is found (the same waty as squid's follow_x_forwarded_for
directive does.
If anyone have such PHP, please paste a link. I think that could be used in
many other PHP applications (and I'd post that to horde people)
This is one I have linked for signups. Goes a little further than
trusting the XFF and assuming only one proxy is in use.
Copes with both IPv4 and IPv6.
<?php
function userIP()
{
global $_SERVER;
if($_SERVER['HTTP_X_FORWARDED_FOR'])
$base = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
$base = $_SERVER['REMOTE_ADDR'];
$ip="";
foreach( explode(",",$base) as $key => $val) {
$bits="";
if(!ereg("((([0-9]{1,3}\.){3}([0-9]{1,3}))|([0-9a-f]{0,4}:(([0-9a-f]{1,4}:){0,6}|:)[0-9a-f]{0,4}))",$val,
$bits))
{
return ""; // BAD IP.
}
// TODO some test to see if its an acceptable IP.
// return ""; if its not good.
$ip = $bits[1];
}
return $ip;
}
?>
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
Current Beta Squid 3.1.0.3