diff options
| author | Derek Jones <derek.jones@ellislab.com> | 2009-02-04 22:40:20 +0100 |
|---|---|---|
| committer | Derek Jones <derek.jones@ellislab.com> | 2009-02-04 22:40:20 +0100 |
| commit | c59722885288a8af90392b8019b415dd84229775 (patch) | |
| tree | ac50b503725063df0b386fca0bc6989f0a87283c | |
| parent | 149ca0820ef2fe3df34e023a109b4e72dbb4899d (diff) | |
added proxy_ips config item to whitelist reverse proxy servers to use the HTTP_X_FORWARDED_FOR header safely to determine the visitor's IP address
| -rw-r--r-- | system/application/config/config.php | 13 | ||||
| -rw-r--r-- | system/libraries/Input.php | 11 | ||||
| -rw-r--r-- | user_guide/changelog.html | 2 |
3 files changed, 24 insertions, 2 deletions
diff --git a/system/application/config/config.php b/system/application/config/config.php index 58309d830..fae962e95 100644 --- a/system/application/config/config.php +++ b/system/application/config/config.php @@ -311,6 +311,19 @@ $config['time_reference'] = 'local'; $config['rewrite_short_tags'] = FALSE; +/* +|-------------------------------------------------------------------------- +| Reverse Proxy IPs +|-------------------------------------------------------------------------- +| +| If your server is behind a reverse proxy, you must whitelist the proxy IP +| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR +| header in order to properly identify the visitor's IP address. +| Comma-delimited, e.g. '10.0.1.200,10.0.1.201' +| +*/ +$config['proxy_ips'] = ''; + /* End of file config.php */ /* Location: ./system/application/config/config.php */
\ No newline at end of file diff --git a/system/libraries/Input.php b/system/libraries/Input.php index e879e2d13..6491d1791 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -346,8 +346,15 @@ class CI_Input { { return $this->ip_address; } + + if ($this->config->item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR')) + { + $proxies = preg_split('/[\s,]/', $this->config->item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY); + $proxies = is_array($proxies) ? $proxies : array($proxies); - if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) + $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; + } + elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) { $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; } @@ -373,7 +380,7 @@ class CI_Input { if (strstr($this->ip_address, ',')) { $x = explode(',', $this->ip_address); - $this->ip_address = end($x); + $this->ip_address = trim(end($x)); } if ( ! $this->valid_ip($this->ip_address)) diff --git a/user_guide/changelog.html b/user_guide/changelog.html index f5e7bc948..7892dc31e 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -90,6 +90,8 @@ SVN Revision: </p> <ul> <li>Improved security in <kbd>xss_clean()</kbd> to help prevent attacks targeting Internet Explorer.</li> <li>Added 'application/msexcel' to config/mimes.php for .xls files.</li> + <li>Added 'proxy_ips' config item to whitelist reverse proxy servers from which to trust the HTTP_X_FORWARDED_FOR header to + to determine the visitor's IP address.</li> </ul> </li> </ul> |