Matus UHLAR - fantomas wrote:
Mehmet ÇELiK wrote:
In your vBulletin includes/init.php file change "define('IPADDRESS',
$_SERVER['REMOTE_ADDR']);" to "define('IPADDRESS',
$_SERVER['HTTP_X_FORWARDED_FOR']);".
No. I don't this. Because, this is not right method..
On 09.01.09 22:40, Amos Jeffries wrote:
In my PHP-apps I do the equivalent of this:
if ($trust_XFF && $_SERVER['HTTP_X_FORWARDED_FOR'])
define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);
else
define('IPADDRESS', $_SERVER['REMOTE_ADDR']);
Is that working? Afaik, x-forwarded-for may contain more IP addresses, where
not all of them may be trusted. I think that proper validator should have
list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR
until untrusted IP is found (the same waty as squid's follow_x_forwarded_for
directive does.
If anyone have such PHP, please paste a link. I think that could be used in
many other PHP applications (and I'd post that to horde people)
Actually come to think of it that way wrong anyways.
This is better...
function userIP()
{
global $_SERVER;
$ip="";
$l =
explode(",",$_SERVER['HTTP_X_FORWARDED_FOR'].",".$_SERVER['REMOTE_ADDR']);
rsort($l);
foreach( $l as $key => $val) {
if(!$val) continue;
$bits="";
if(!ereg("((([0-9]{1,3}\.){3}([0-9]{1,3}))|([0-9a-f]{0,4}:(([0-9a-f]{1,4}:){0,6}|:)[0-9a-f]{0,4}))",$val,
$bits))
{
return ""; // BAD IP.
}
// TODO some test to see if its an acceptable IP.
// return ""; if its not a good IP.
$ip = $bits[1];
}
return $ip;
}
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
Current Beta Squid 3.1.0.3
