Using real client ip behind a proxy in Session driver - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5) +--- Forum: Best Practices (https://forum.codeigniter.com/forumdisplay.php?fid=12) +--- Thread: Using real client ip behind a proxy in Session driver (/showthread.php?tid=64427) |
Using real client ip behind a proxy in Session driver - remiheens - 02-18-2016 Hi, I'm creating a login library to manage session on my website. But I've seen that drivers use $_SERVER['REMOTE_ADDR'] so when running CI behind a proxy (nginx proxy_pass query to apache) the $_SERVER['REMOTE_ADDR'] is always 127.0.0.1. So sess_match_ip doesn't work. I've created a PR on github but narfbg say to me that it's a security flaw to trust an ip provided by client, and I understand that. But in my case, the IP was trusted because it was added to HTTP header by nginx configuration : Code: proxy_set_header X-Real-IP $remote_addr; I think create a subdriver of Session_<driver>_driver was a good solution but apparently no... What is running and works on my dev server : PHP Code: <?php I know it's not a good solution but I want to understand and find a really good solution. What is the best practices to use real client ip and to make working session match_ip option ? RE: Using real client ip behind a proxy in Session driver - kilishan - 02-18-2016 I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`: Code: $config['proxy_ips'] = ''; I believe this does what you need, doesn't it? RE: Using real client ip behind a proxy in Session driver - remiheens - 02-18-2016 (02-18-2016, 08:16 AM)kilishan Wrote: I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`: No, it doesn't because in Session_drivers, client ip is getting by $_SERVER['REMOTE_ADDR'] PHP Code: // libraries/Session/drivers/Session_files_driver.php L#129 I've already add my two proxy server ips to the config file, and my app gets the real client ip in all functions/methods/etc but only in Session driver the client ip was 127.0.0.1 RE: Using real client ip behind a proxy in Session driver - remiheens - 02-18-2016 Ok I've found a better solution, I think it's more a "hack" than a solution but it works. I add this on top of my index.php PHP Code: $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP']; HTTP_X_FORWARDED_FOR cannot be trusted because it's a concatenation of ip provided by HTTP Request and the client can set the value. Code: curl http://example.com/ -H 'X-Forwarded-For: <a-fake-ip>' HTTP_X_REAL_IP is created by nginx configuration and if it already exists it will overwrite, so i cant trust the value no ? |