Matus UHLAR - fantomas wrote:
>> Mehmet ÇELiK wrote:
>>>> In your vBulletin includes/init.php file change "define('IPADDRESS',
>>>> $_SERVER['REMOTE_ADDR']);" to "define('IPADDRESS',
>>>> $_SERVER['HTTP_X_FORWARDED_FOR']);".
>>>>
>>> No. I don't this. Because, this is not right method..
>
> On 09.01.09 22:40, Amos Jeffries wrote:
>> In my PHP-apps I do the equivalent of this:
>>
>> if ($trust_XFF && $_SERVER['HTTP_X_FORWARDED_FOR'])
>> define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);
>> else
>> define('IPADDRESS', $_SERVER['REMOTE_ADDR']);
>
> Is that working? Afaik, x-forwarded-for may contain more IP addresses, where
> not all of them may be trusted. I think that proper validator should have
> list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR
> until untrusted IP is found (the same waty as squid's follow_x_forwarded_for
> directive does.
>
> If anyone have such PHP, please paste a link. I think that could be used in
> many other PHP applications (and I'd post that to horde people)
This is one I have linked for signups. Goes a little further than
trusting the XFF and assuming only one proxy is in use.
Copes with both IPv4 and IPv6.
<?php
function userIP()
{
global $_SERVER;
if($_SERVER['HTTP_X_FORWARDED_FOR'])
$base = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
$base = $_SERVER['REMOTE_ADDR'];
$ip="";
foreach( explode(",",$base) as $key => $val) {
$bits="";
if(!ereg("((([0-9]{1,3}\.){3}([0-9]{1,3}))|([0-9a-f]{0,4}:(([0-9a-f]{1,4}:){0,6}|:)[0-9a-f]{0,4}))",$val,
$bits))
{
return ""; // BAD IP.
}
// TODO some test to see if its an acceptable IP.
// return ""; if its not good.
$ip = $bits[1];
}
return $ip;
}
?>
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3Received on Fri Jan 09 2009 - 10:56:21 MST
This archive was generated by hypermail 2.2.0 : Fri Jan 09 2009 - 12:00:02 MST