[core] trust x-forwarded-for from trusted proxies, see #800

This commit is contained in:
Shish 2024-01-04 14:50:36 +00:00
parent 502d50c57d
commit c5395df243
3 changed files with 27 additions and 15 deletions

View file

@ -37,4 +37,4 @@ _d("EXTRA_EXTS", ""); // string optional extra extensions
_d("BASE_HREF", null); // string force a specific base URL (default is auto-detect)
_d("TRACE_FILE", null); // string file to log performance data into
_d("TRACE_THRESHOLD", 0.0); // float log pages which take more time than this many seconds
_d("REVERSE_PROXY_X_HEADERS", false); // boolean get request IPs from "X-Real-IP" and protocol from "X-Forwarded-Proto" HTTP headers
_d("TRUSTED_PROXIES", []); // array trust "X-Real-IP" / "X-Forwarded-For" / "X-Forwarded-Proto" headers from these IP ranges

View file

@ -54,7 +54,7 @@ function contact_link(): ?string
function is_https_enabled(): bool
{
// check forwarded protocol
if (REVERSE_PROXY_X_HEADERS && !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
if (is_trusted_proxy() && !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['HTTPS'] = 'on';
}
return (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off');
@ -148,25 +148,37 @@ function check_im_version(): int
return (empty($convert_check) ? 0 : 1);
}
/**
* Get request IP
*/
function get_remote_addr()
function is_trusted_proxy(): bool
{
return $_SERVER['REMOTE_ADDR'];
$ra = $_SERVER['REMOTE_ADDR'] ?? "0.0.0.0";
foreach(TRUSTED_PROXIES as $proxy) {
if(ip_in_range($ra, $proxy)) {
return true;
}
}
return false;
}
/**
* Get real IP if behind a reverse proxy
*/
function get_real_ip()
{
$ip = get_remote_addr();
if (REVERSE_PROXY_X_HEADERS && isset($_SERVER['HTTP_X_REAL_IP'])) {
$ip = $_SERVER['REMOTE_ADDR'];
if(is_trusted_proxy()) {
if (isset($_SERVER['HTTP_X_REAL_IP'])) {
if(filter_var($ip, FILTER_VALIDATE_IP)) {
$ip = $_SERVER['HTTP_X_REAL_IP'];
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
$ip = "0.0.0.0";
}
}
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ips = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']);
$last_ip = $ips[count($ips) - 1];
if(filter_var($last_ip, FILTER_VALIDATE_IP)) {
$ip = $last_ip;
}
}
}

View file

@ -21,4 +21,4 @@ define("TIMEZONE", 'UTC');
define("BASE_HREF", "/test");
define("CLI_LOG_LEVEL", 50);
define("STATSD_HOST", null);
define("REVERSE_PROXY_X_HEADERS", false);
define("TRUSTED_PROXIES", []);