Derek Jones avatar Derek Jones committed 3b794c2

added proxy_ips config item to whitelist reverse proxy servers to use the HTTP_X_FORWARDED_FOR header safely to determine the visitor's IP address

Comments (0)

Files changed (3)

system/application/config/config.php

 $config['rewrite_short_tags'] = FALSE;
 
 
+/*
+|--------------------------------------------------------------------------
+| Reverse Proxy IPs
+|--------------------------------------------------------------------------
+|
+| If your server is behind a reverse proxy, you must whitelist the proxy IP
+| addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
+| header in order to properly identify the visitor's IP address.
+| Comma-delimited, e.g. '10.0.1.200,10.0.1.201'
+|
+*/
+$config['proxy_ips'] = '';
+
 
 /* End of file config.php */
 /* Location: ./system/application/config/config.php */

system/libraries/Input.php

 		{
 			return $this->ip_address;
 		}
+		
+		if ($this->config->item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR'))
+		{
+			$proxies = preg_split('/[\s,]/', $this->config->item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY);
+			$proxies = is_array($proxies) ? $proxies : array($proxies);
 
-		if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
+			$this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
+		}
+		elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
 		{
 			$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
 		}
 		if (strstr($this->ip_address, ','))
 		{
 			$x = explode(',', $this->ip_address);
-			$this->ip_address = end($x);
+			$this->ip_address = trim(end($x));
 		}
 
 		if ( ! $this->valid_ip($this->ip_address))

user_guide/changelog.html

 		<ul>
 			<li>Improved security in <kbd>xss_clean()</kbd> to help prevent attacks targeting Internet Explorer.</li>
 			<li>Added 'application/msexcel' to config/mimes.php for .xls files.</li>
+			<li>Added 'proxy_ips' config item to whitelist reverse proxy servers from which to trust the HTTP_X_FORWARDED_FOR header to
+				to determine the visitor's IP address.</li>
 		</ul>
 	</li>
 </ul>
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.