Customizing SMF > SMF Coding Discussion
IP detection behind a reverse proxy
FallenHawk:
Hello,
I'm currently planning to convert my 2 year old forum (Invision 1.3.1) and SMF is the best I have found so far. I have installed version 1.1.2 to test it and get to know it bit more before converting my database.
My site is behind a hxxp:en.wikipedia.org/wiki/Reverse_Proxy [nonactive]. As far as the server knows, the client is only the proxy server and not the user who is actually visiting the site.
The proxy, however, sends the client's IP address as an HTTP header (I believe) and it can be retrieved in PHP (4.4.1) by using $_SERVER['HTTP_X_FORWARDED_FOR'].
SMF can detect the IP address fine, it seems. The correct address and hostname are listed in the user's profile. Unfortunately, the IP address that is shown next to each message the user has posted is always the proxy's and not the same address that is listed in the user's profile.
Is this intended behavior, a configuration issue or could this be a bug?
Thanks.
Daniel15:
Hello, and welcome to the forums! :D
--- Quote ---Is this intended behavior, a configuration issue or could this be a bug?
--- End quote ---
This is actually the intended behavior. Previously, it was possible to spoof the IP address, by sending a fake X_FORWARDED_FOR header (see National Vulnerability Database, CVE-2006-7013). In response to this, SMF stores both the proxy IP, and the X_Forwarded_For header IP.
To get the old behaviour back, open Themes/[theme name, or default if you're using the default]/Display.template.php, and find:
--- Code: ---$message['member']['ip']
--- End code ---
Replace all instances (it occurs 4 times) with:
--- Code: ---$message['member']['ip2']
--- End code ---
FallenHawk:
Thanks for the reply. :)
--- Quote ---In response to this, SMF stores both the proxy IP, and the X_Forwarded_For header IP.
--- End quote ---
I did search the forums for X_Forwarded_For and found some hits about a vulnerability. I thought it could have something to do with it, since the correct IP must be detected at some point to be shown in the user's profile.
I believe that, since this is sent by the proxy, it'll always be the correct address in my case. The user cannot access the site without going through the proxy first, so I think that (for me) it would be safe to always log just the IP in the header.
I'll try to make a test to confirm that the proxy does not use the X_Forwarded_For header to determine the IP address of the client.
--- Quote ---To get the old behaviour back, open Themes/[theme name, or default if you're using the default]/Display.template.php, and find:
--- End quote ---
I did the modification as you said and replaced all four instances. It did change the IP address that is displayed, but it's still not the right one. The reverse proxy is a group of 12 machines and every time the user needs a new DNS lookup, a new IP address will be used.
The new IP address that is displayed is just another proxy IP address. Seems to be the last IP address instead of the logged IP address on the message, since it's showing the same IP address for all my test posts.
Is there something else I can try?
FallenHawk:
I added a code in index.php to rewrite the address in REMOTE_ADDR with the IP provided by the header.
--- Code: ---$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
unset($_SERVER['HTTP_X_FORWARDED_FOR']);
--- End code ---
This is probably not very clean, but it works. I do not know if the second line is needed, but I added it just to be safe.
In my case, I can do nothing other than trust that the proxy server will forward the correct address. If it sends an incorrect address, that's going to be all I will get, because I have no access to the first request. So it's either the forwarded address or nothing.
Daniel15:
Sorry about not replying sooner, I didn't see your reply :-[
--- Quote ---I added a code in index.php to rewrite the address in REMOTE_ADDR with the IP provided by the header.
--- End quote ---
This will not work properly if the user is using a proxy. If the end user is using a proxy, then two IP addresses will be in the X_FORWARDED_FOR header (I've got an internal proxy, and my ISP's transparent proxy, so for me, it would show three addresses).
When I have more free time, I'll try to come up with a better solution
Navigation
[0] Message Index
[#] Next page
Go to full version