From d4c23fe1b240cd4e36aad5691a6739828dc2d850 Mon Sep 17 00:00:00 2001 From: Contex Date: Mon, 24 Mar 2014 19:59:59 +0100 Subject: [PATCH] Cloudflare IP forwarding when using getCurrentIP() HTTP_X_FORWARDED_FOR doesn't always work with Cloudflare, HTTP_CF_CONNECTING_IP however does. https://support.cloudflare.com/hc/en-us/articles/200170986-How-does-CloudFlare-handle-HTTP-Request-headers- --- public/include/classes/user.class.php | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php index 498ac584..e5d078aa 100644 --- a/public/include/classes/user.class.php +++ b/public/include/classes/user.class.php @@ -923,23 +923,28 @@ public function isAuthenticated($logout=true) { /** * Convenience function to get IP address, no params is the same as REMOTE_ADDR - * @param trustremote bool must be FALSE to checkclient or checkforwarded + * @param trustremote bool must be FALSE to checkcloudflare, checkclient or checkforwarded + * @param checkcloudflare bool check HTTP_CF_CONNECTING_IP for a valid ip first * @param checkclient bool check HTTP_CLIENT_IP for a valid ip first * @param checkforwarded bool check HTTP_X_FORWARDED_FOR for a valid ip first * @return string IP address */ - public function getCurrentIP($trustremote=false, $checkclient=false, $checkforwarded=true) { + public function getCurrentIP($trustremote=false, $checkcloudflare=true, $checkclient=false, $checkforwarded=true) { + $cf = (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) ? $_SERVER['HTTP_CF_CONNECTING_IP'] : false; $client = (isset($_SERVER['HTTP_CLIENT_IP'])) ? $_SERVER['HTTP_CLIENT_IP'] : false; $fwd = (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : false; $remote = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : @$_SERVER['REMOTE_ADDR']; // shared internet - if (filter_var($client, FILTER_VALIDATE_IP) && !$trustremote && $checkclient) { + if (!$trustremote && $checkcloudflare && filter_var($cf, FILTER_VALIDATE_IP)) { + // cloudflare + return $cf; + } else if (!$trustremote && $checkclient && filter_var($client, FILTER_VALIDATE_IP)) { return $client; - } else if (strpos($fwd, ',') !== false && !$trustremote && $checkforwarded) { + } else if (!$trustremote && $checkforwarded && strpos($fwd, ',') !== false) { // multiple proxies $ips = explode(',', $fwd); return $ips[0]; - } else if (filter_var($fwd, FILTER_VALIDATE_IP) && !$trustremote && $checkforwarded) { + } else if (!$trustremote && $checkforwarded && filter_var($fwd, FILTER_VALIDATE_IP)) { // single return $fwd; } else {