Merge pull request #628 in ZP/z-push from...

Merge pull request #628 in ZP/z-push from feature/ZP-1183-use-custom-header-for-remote-ip-e.g-http_x_real_ip to develop * commit '7fe3667b': ZP-1183 Use a configurable header for remote ip.

Merge pull request #628 in ZP/z-push from...
Merge pull request #628 in ZP/z-push from feature/ZP-1183-use-custom-header-for-remote-ip-e.g-http_x_real_ip to develop * commit '7fe3667b': ZP-1183 Use a configurable header for remote ip.
4c151aac · Sebastian Kummer · a715c67b · 7fe3667b · 4c151aac · 4c151aac
Commit 4c151aac authored Nov 30, 2017 by Sebastian Kummer
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 7 deletions

config.php src/config.php +6 -2

zpush.php src/lib/core/zpush.php +4 -0

request.php src/lib/request/request.php +5 -5

No files found.
--- a/src/config.php
+++ b/src/config.php
@@ -35,8 +35,12 @@
    // Try to set unlimited timeout
    define('SCRIPT_TIMEOUT', 0);

-    // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
-    define('USE_X_FORWARDED_FOR_HEADER', false);
+    // Use a custom header to determinate the remote IP of a client.
+    // By default, the server provided REMOTE_ADDR is used. If the header here set
+    // is available, the provided value will be used, else REMOTE_ADDR is maintained.
+    // set to false to disable this behaviour.
+    // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
+    define('USE_CUSTOM_REMOTE_IP_HEADER', 'HTTP_X_REAL_IP');

    // When using client certificates, we can check if the login sent matches the owner of the certificate.
    // This setting specifies the owner parameter in the certificate to look at.

--- a/src/lib/core/zpush.php
+++ b/src/lib/core/zpush.php
@@ -285,6 +285,10 @@ class ZPush {
                throw new FatalMisconfigurationException(sprintf("Your policies' configuration file doesn't contain the required [default] section. Please check the '%s' file.", $policyfile));
            }
        }
+
+        if (defined('USE_X_FORWARDED_FOR_HEADER')) {
+            ZLog::Write(LOGLEVEL_INFO, "The configuration parameter 'USE_X_FORWARDED_FOR_HEADER' was deprecated in favor of 'USE_CUSTOM_REMOTE_IP_HEADER'. Please update your configuration.");
+        }
        return true;
    }


--- a/src/lib/request/request.php
+++ b/src/lib/request/request.php
@@ -243,11 +243,11 @@ class Request {
            }
        }

-        if (defined('USE_X_FORWARDED_FOR_HEADER') && USE_X_FORWARDED_FOR_HEADER == true && isset(self::$headers["x-forwarded-for"])) {
-            $forwardedIP = self::filterIP(self::$headers["x-forwarded-for"]);
-            if ($forwardedIP) {
-                ZLog::Write(LOGLEVEL_DEBUG, sprintf("'X-Forwarded-for' indicates remote IP: %s - connect is coming from IP: %s", $forwardedIP, self::$remoteAddr));
-                self::$remoteAddr = $forwardedIP;
+        if (defined('USE_CUSTOM_REMOTE_IP_HEADER') && USE_CUSTOM_REMOTE_IP_HEADER !== false && isset(self::$headers[strtolower(USE_CUSTOM_REMOTE_IP_HEADER)])) {
+            $remoteIP = self::filterIP(self::$headers[strtolower(USE_CUSTOM_REMOTE_IP_HEADER)]);
+            if ($remoteIP) {
+                ZLog::Write(LOGLEVEL_DEBUG, sprintf("Using custom header '%s' to determine remote IP: %s - connect is coming from IP: %s", USE_CUSTOM_REMOTE_IP_HEADER, $remoteIP, self::$remoteAddr));
+                self::$remoteAddr = $remoteIP;
            }
        }