Additional checking for IPs passing through proxies

More
2 years 4 months ago #120120 by ongkichilam
ongkichilam created the topic: Additional checking for IPs passing through proxies
We need to capture client's IP. After turned on the IP tracking option, we are getting Invalid IP. This is because proxy server passing multiple IPs in the server variable HTTP_X_FORWARDED_FOR.

Can we enhance the code getIPAddress() at common_helper.php to check if multiple IPs exist, it will take the first one?

Please Log in to join the conversation.

More
2 years 3 weeks ago #124525 by encelado
encelado replied the topic: Additional checking for IPs passing through proxies
This is how it's achieved in Drupal: api.drupal.org/api/drupal/includes!boots...unction/ip_address/7
In LimeSurvey 2, it would look like this:

/**
* This function returns the real IP address under all configurations
*
* Rewritten using Drupal code (see source and credits at
* https://api.drupal.org/api/drupal/includes!bootstrap.inc/function/ip_address/7). 
* This implementation requires additional configuration variables to be set in
* /application/config/config.php: reverseProxy, reverseProxyHeader, and
* reverseProxyAddresses (see related comments in original source code at
* https://api.drupal.org/api/drupal/sites!default!default.settings.php/7).
*
*/
function getIPAddress()
{
    $sIPAddress = $_SERVER['REMOTE_ADDR'];
 
    if (Yii::app()->getConfig('reverseProxy', 0)) {
        $sReverseProxyHeader = Yii::app()->getConfig('reverseProxyHeader', 'HTTP_X_FORWARDED_FOR');
        if (!empty($_SERVER[$sReverseProxyHeader])) {
            // If an array of known reverse proxy IPs is provided, then trust
            // the XFF header if request really comes from one of them.
            $aReverseProxyAddresses = Yii::app()->getConfig('reverseProxyAddresses', array());
 
            // Turn XFF header into an array.
            $aForwarded = explode(',', $_SERVER[$sReverseProxyHeader]);
 
            // Trim the forwarded IPs; they may have been delimited by commas and spaces.
            $aForwarded = array_map('trim', $aForwarded);
 
            // Tack direct client IP onto end of forwarded array.
            $aForwarded[] = $sIPAddress;
 
            // Eliminate all trusted IPs.
            $aUntrusted = array_diff($aForwarded, $aReverseProxyAddresses);
 
            // The right-most IP is the most specific we can trust.
            $sIPAddress = array_pop($aUntrusted);
        }
    }
 
    return filter_var($sIPAddress, FILTER_VALIDATE_IP) ? $sIPAddress : 'Invalid';
}
Once replaced the getIPAddress() function in /application/helpers/common_helper.php, set the following parameters in /application/config/config.php:

return array('config' => array(// Reverse proxy configuration settings.
		'reverseProxy' => TRUE,
		// Set this value if your proxy server sends the client IP in a header other than X-Forwarded-For.
		# 'reverseProxyHeader' => 'HTTP_X_CLUSTER_CLIENT_IP',
		// Specify every reverse proxy IP address in your environment. Required.
		'reverseProxyAddresses' => array('a.b.c.d',),
	)
);

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now