On Fri, Nov 7, 2014 at 10:37 AM, Reindl Harald <[email protected]> wrote: > > Am 07.11.2014 um 10:30 schrieb Thomas Bruederli: >> >> Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't >> reflect the client IP if your webserver is behind a reverse proxy or >> load balancer. There's rcube_utils::remote_addr() which extracts the >> real client IP from the headers such intermediate systems add to the >> request > > > in a sane setup it does > http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html > > rcube_utils::remote_addr() is dangerous, the X-Forwarded-For is not > trustable and hence "mod_remoteip" or for older Apache versions "mod_rpaf" - > the important difference is that:
You're certainly right about this but if you look at the implementation of remote_addr() you'll find that the X-Forwarded-For header is only considered if the request comes from a known proxy IP which can be set with the 'proxy_whitelist' config option. For those not using mod_remoteip, this should do the job. However, we should consider $_SERVER['REMOTE_IP'] in remote_addr() if available. ~Thomas _______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
