Using real client ip behind a proxy in Session driver |
Hi,
I'm creating a login library to manage session on my website. But I've seen that drivers use $_SERVER['REMOTE_ADDR'] so when running CI behind a proxy (nginx proxy_pass query to apache) the $_SERVER['REMOTE_ADDR'] is always 127.0.0.1. So sess_match_ip doesn't work. I've created a PR on github but narfbg say to me that it's a security flaw to trust an ip provided by client, and I understand that. But in my case, the IP was trusted because it was added to HTTP header by nginx configuration : Code: proxy_set_header X-Real-IP $remote_addr; I think create a subdriver of Session_<driver>_driver was a good solution but apparently no... What is running and works on my dev server : PHP Code: <?php I know it's not a good solution but I want to understand and find a really good solution. What is the best practices to use real client ip and to make working session match_ip option ?
I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`:
Code: $config['proxy_ips'] = ''; I believe this does what you need, doesn't it? (02-18-2016, 08:16 AM)kilishan Wrote: I might be confused, as dealing with proxy's isn't something I've had a whole lot of experience with, but I believe the Input class' ip_address function will already look through proxies for you. You just have to specify a whitelist of IP addresses in `config.php`: No, it doesn't because in Session_drivers, client ip is getting by $_SERVER['REMOTE_ADDR'] PHP Code: // libraries/Session/drivers/Session_files_driver.php L#129 I've already add my two proxy server ips to the config file, and my app gets the real client ip in all functions/methods/etc but only in Session driver the client ip was 127.0.0.1
Ok I've found a better solution, I think it's more a "hack" than a solution but it works.
I add this on top of my index.php PHP Code: $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_REAL_IP']; HTTP_X_FORWARDED_FOR cannot be trusted because it's a concatenation of ip provided by HTTP Request and the client can set the value. Code: curl http://example.com/ -H 'X-Forwarded-For: <a-fake-ip>' HTTP_X_REAL_IP is created by nginx configuration and if it already exists it will overwrite, so i cant trust the value no ? |
Welcome Guest, Not a member yet? Register Sign In |