Webserver behind proxy?

[addison74]

My webserver is behind a proxy server. In this case REMOTE_ADDR is proxy server IP not visitor's IP. I checked you code which is pretty basic. In my case X_FORWARD_FOR keeps the real visitor's IP address. In the code bellow do I have to change both REMOTE_ADDR values to X_FORWARD_FOR? I did that and it is working as expected but I would like to know your opinion.

Thank you.

<?php

/**
  * Plugin to add imap id
  *
  * @version 1.0
  * @author Cor Bosman
  */

class dovecot_ident extends rcube_plugin 
{

  function init()
  {
    $this->add_hook('storage_connect', array($this, 'add_ident'));
  }

  function add_ident($args)
  {
    $args['ident'] = $args['ident'] ? array_merge($args['ident'], array('x-originating-ip' => $_SERVER['REMOTE_ADDR']))
                                    : array('x-originating-ip' => $_SERVER['REMOTE_ADDR']);
    return $args;
  }
}

?>

[xkill]

Hi,

I added the following code:

  function add_ident($args)
  {
        if(isset($_SERVER['HTTP_X_REAL_IP'])){
                $REAL_CLIENT_IP = $_SERVER['HTTP_X_REAL_IP'];
        } else {
                $REAL_CLIENT_IP = $_SERVER['REMOTE_ADDR'];
        }

    $args['ident'] = $args['ident'] ? array_merge($args['ident'], array('x-originating-ip' => $REAL_CLIENT_IP))
                                                                        : array('x-originating-ip' => $REAL_CLIENT_IP);
    return $args;
  }

[micw]

@xkill that could be a bad idea because you trust the header provided by the proxy or client. you should use https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_utils.php#L682 which honors the proxy_whitelist config.

[micw]

Here's an updated version:

<?php

/**
  * Plugin to add imap id
  *
  * @version 1.0
  * @author Cor Bosman
  */

class dovecot_ident extends rcube_plugin 
{

  function init()
  {
    $this->add_hook('storage_connect', array($this, 'add_ident'));
  }

  // copy of rcube_utils::remote_addr until https://github.com/roundcube/roundcubemail/issues/7107 is fixed
  function remote_addr()
    {
        // Check if any of the headers are set first to improve performance
        if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) || !empty($_SERVER['HTTP_X_REAL_IP'])) {
            $proxy_whitelist = rcube::get_instance()->config->get('proxy_whitelist', array());
            if (in_array($_SERVER['REMOTE_ADDR'], $proxy_whitelist)) {
                if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                    foreach (array_reverse(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])) as $forwarded_ip) {
                        $forwarded_ip=trim($forwarded_ip);
                        if (!in_array($forwarded_ip, $proxy_whitelist)) {
                            return $forwarded_ip;
                        }
                    }
                }
                if (!empty($_SERVER['HTTP_X_REAL_IP'])) {
                    return $_SERVER['HTTP_X_REAL_IP'];
                }
            }
        }
        if (!empty($_SERVER['REMOTE_ADDR'])) {
            return $_SERVER['REMOTE_ADDR'];
        }
        return '';
    }

  function add_ident($args)
  {
    $args['ident'] = $args['ident'] ? array_merge($args['ident'], array('x-originating-ip' => $this->remote_addr()))
                                                                        : array('x-originating-ip' => $this->remote_addr());
    return $args;
  }
}

?>