Welcome Guest, Not a member yet? Register   Sign In
Using real client ip behind a proxy in Session driver
#1

Hi,

I'm creating a login library to manage session on my website.
But I've seen that drivers use $_SERVER['REMOTE_ADDR'] so when running CI behind a proxy (nginx proxy_pass query to apache) the $_SERVER['REMOTE_ADDR'] is always 127.0.0.1.
So sess_match_ip doesn't work.

I've created a PR on github but narfbg say to me that it's a security flaw to trust an ip provided by client, and I understand that.

But in my case, the IP was trusted because it was added to HTTP header by nginx configuration :
Code:
proxy_set_header   X-Real-IP        $remote_addr;
proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

I think create a subdriver of Session_<driver>_driver was a good solution but apparently no...

What is running and works on my dev server :

PHP Code:
<?php

require_once BASEPATH.'/libraries/Session/drivers/Session_files_driver.php';

class 
Session_tuto_driver extends CI_Session_files_driver implements SessionHandlerInterface
{

    public function 
open($save_path$name)
    {
        
$flag parent::open($save_path,$name);

        if(
$flag === true)
        {
            
$CI =& get_instance();

            
$this->_file_path $this->_config['save_path'].DIRECTORY_SEPARATOR
                
.$name
                
.($this->_config['match_ip'] ? md5($CI->input->ip_address()) : '');
        }

        return 
$flag;
    }



I know it's not a good solution but I want to understand and find a really good solution.


What is the best practices to use real client ip and to make working session match_ip option ?
Reply
#2

I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`:

Code:
$config['proxy_ips'] = '';

I believe this does what you need, doesn't it?
Reply
#3

(This post was last modified: 02-18-2016, 08:20 AM by remiheens.)

(02-18-2016, 08:16 AM)kilishan Wrote: I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`:

Code:
$config['proxy_ips'] = '';

I believe this does what you need, doesn't it?

No, it doesn't because in Session_drivers, client ip is getting by $_SERVER['REMOTE_ADDR']

PHP Code:
// libraries/Session/drivers/Session_files_driver.php L#129
$this->_file_path $this->_config['save_path'].DIRECTORY_SEPARATOR
            
.$name // we'll use the session cookie name as a prefix to avoid collisions
            
.($this->_config['match_ip'] ? md5($_SERVER['REMOTE_ADDR']) : ''); 

I've already add my two proxy server ips to the config file, and my app gets the real client ip in all functions/methods/etc but only in Session driver the client ip was 127.0.0.1
Reply
#4

(This post was last modified: 02-18-2016, 08:54 AM by remiheens.)

Ok I've found a better solution, I think it's more a "hack" than a solution but it works.

I add this on top of my index.php
PHP Code:
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP']; 

HTTP_X_FORWARDED_FOR cannot be trusted because it's a concatenation of ip provided by HTTP Request and the client can set the value.
Code:
curl http://example.com/ -H 'X-Forwarded-For: <a-fake-ip>'
If you check, in codeigniter, the value of $this->input->ip_address() was the fake ip and not the real client ip.

HTTP_X_REAL_IP is created by nginx configuration and if it already exists it will overwrite, so i cant trust the value no ?
Reply




Theme © iAndrew 2016 - Forum software by © MyBB