Re: [squid-users] HTTP Header

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 09 Jan 2009 23:54:42 +1300

Matus UHLAR - fantomas wrote:
>> Mehmet ÇELiK wrote:
>>>> In your vBulletin includes/init.php file change "define('IPADDRESS',
>>>> $_SERVER['REMOTE_ADDR']);" to "define('IPADDRESS',
>>>> $_SERVER['HTTP_X_FORWARDED_FOR']);".
>>>>
>>> No. I don't this. Because, this is not right method..
>
> On 09.01.09 22:40, Amos Jeffries wrote:
>> In my PHP-apps I do the equivalent of this:
>>
>> if ($trust_XFF && $_SERVER['HTTP_X_FORWARDED_FOR'])
>> define('IPADDRESS', $_SERVER['HTTP_X_FORWARDED_FOR']);
>> else
>> define('IPADDRESS', $_SERVER['REMOTE_ADDR']);
>
> Is that working? Afaik, x-forwarded-for may contain more IP addresses, where
> not all of them may be trusted. I think that proper validator should have
> list of (un)trusted networks and match REMOTE_ADDR and HTTP_X_FORWARDED_FOR
> until untrusted IP is found (the same waty as squid's follow_x_forwarded_for
> directive does.
>
> If anyone have such PHP, please paste a link. I think that could be used in
> many other PHP applications (and I'd post that to horde people)

This is one I have linked for signups. Goes a little further than
trusting the XFF and assuming only one proxy is in use.

Copes with both IPv4 and IPv6.

<?php
function userIP()
{
         global $_SERVER;
         if($_SERVER['HTTP_X_FORWARDED_FOR'])
                 $base = $_SERVER['HTTP_X_FORWARDED_FOR'];
         else
                 $base = $_SERVER['REMOTE_ADDR'];

         $ip="";

         foreach( explode(",",$base) as $key => $val) {
                 $bits="";
 
if(!ereg("((([0-9]{1,3}\.){3}([0-9]{1,3}))|([0-9a-f]{0,4}:(([0-9a-f]{1,4}:){0,6}|:)[0-9a-f]{0,4}))",$val,
$bits))
                 {
                         return ""; // BAD IP.
                 }

                 // TODO some test to see if its an acceptable IP.
                 // return ""; if its not good.

                 $ip = $bits[1];
         }
         return $ip;
}
?>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
   Current Beta Squid 3.1.0.3
Received on Fri Jan 09 2009 - 10:56:21 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 09 2009 - 12:00:02 MST