On Fri, Nov 7, 2014 at 10:37 AM, Reindl Harald h.reindl@thelounge.net wrote:
Am 07.11.2014 um 10:30 schrieb Thomas Bruederli:
Pretty good but please be aware that $_SERVER['REMOTE_ADDR'] doesn't reflect the client IP if your webserver is behind a reverse proxy or load balancer. There's rcube_utils::remote_addr() which extracts the real client IP from the headers such intermediate systems add to the request
in a sane setup it does http://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
rcube_utils::remote_addr() is dangerous, the X-Forwarded-For is not trustable and hence "mod_remoteip" or for older Apache versions "mod_rpaf" - the important difference is that:
You're certainly right about this but if you look at the implementation of remote_addr() you'll find that the X-Forwarded-For header is only considered if the request comes from a known proxy IP which can be set with the 'proxy_whitelist' config option. For those not using mod_remoteip, this should do the job.
However, we should consider $_SERVER['REMOTE_IP'] in remote_addr() if available.
~Thomas